BETA Shoulder is in beta — Findings may sometimes be wrong. Your feedback shapes what we fix next. Share feedback
Shoulder.dev

Understand what every change actually did to your system.
📈

Allocation of Resources Without Limits or Throttling

🛡️ 3 rules detect this

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated.

Without limits on resource allocation, an attacker can consume all available resources, causing denial of service for legitimate users.

Prevalence
High
Frequently exploited
Impact
Medium
Review recommended
Prevention
Documented
3 fix examples
2 Prevention
2 Prevention

How to fix this vulnerability

Prevention strategies for Allocation Without Limits based on 3 Shoulder detection rules.

🟨 JavaScript View all JavaScript details →
Request Size Limits in Express.js MEDIUM

Set size limits on body parser middleware to prevent memory exhaustion

+2 -2 javascript 
- app.use(express.json());
- app.use(express.urlencoded({ extended: true }));
+ app.use(express.json({ limit: '100kb' }));
+ app.use(express.urlencoded({ extended: true, limit: '100kb' }));
Prisma Unbounded Relation Loading MEDIUM

Add 'take' limits to all relation includes to prevent unbounded data loading and resource exhaustion

+9 -2 javascript 
  import { PrismaClient } from '@prisma/client';
  const prisma = new PrismaClient();
  
  app.get('/api/users/:id', async (req, res) => {
    const user = await prisma.user.findUnique({
      where: { id: req.params.id },
      include: {
-       posts: true,         // Could be thousands of posts
-       comments: true,      // Could be tens of thousands
+       posts: {
+         take: 20,
+         orderBy: { createdAt: 'desc' },
+         select: { id: true, title: true, createdAt: true },
+       },
+       comments: {
+         take: 50,
+         orderBy: { createdAt: 'desc' },
+       },
      }
    });
    res.json(user);
  });
🐍 Python View all Python details →
Missing API Rate Limiting MEDIUM

Add rate limiting to authentication and expensive API endpoints

+7 -2 python 
  from flask import Flask, request, jsonify
- 
- @app.route('/api/login', methods=['POST'])
+ from flask_limiter import Limiter
+ from flask_limiter.util import get_remote_address
+ 
+ limiter = Limiter(app=app, key_func=get_remote_address)
+ 
+ @app.route('/api/login', methods=['POST'])
+ @limiter.limit("5 per minute")
  def login():
      user = authenticate(request.json)
      return jsonify({'token': generate_token(user)})

Key Practices

  • limited
3 Detection
3 Detection

Find vulnerabilities in your code

Use Shoulder to scan your codebase for Allocation of Resources Without Limits or Throttling patterns. 3 rules.

terminal
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=770

# Or scan entire project
npx @shoulderdev/cli trust .

Detection Rules (3)

4 Warning Signs
4 Warning Signs

What to watch for in code reviews

These patterns indicate potential Allocation of Resources Without Limits or Throttling vulnerabilities. Look for these during code reviews and security audits.

🟡
Body parser without size limit: ... Without request size limits, attackers can send oversized payloads causing memory ex javascript-express-request-size-limits
🟡
missing or inadequate request size limits in Express javascript-express-request-size-limits
🟡
Relation '...' loaded without 'take' limit. This can cause resource exhaustion if users have many related records. prisma-unsafe-include
🟡
API endpoint lacks rate limiting protection python-missing-rate-limiting
🟡
API endpoints without rate limiting python-missing-rate-limiting
🔍

Scan your codebase for Allocation of Resources Without Limits or Throttling

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules