# Allocation of Resources Without Limits or Throttling (CWE-770) The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated. - Prevalence: High Frequently exploited - Impact: Medium Review recommended - Prevention: Documented 3 fix examples **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description Without limits on resource allocation, an attacker can consume all available resources, causing denial of service for legitimate users. ## Prevention Prevention strategies for Allocation Without Limits based on 3 Shoulder detection rules. ### Key Practices - limited ### Node.js Set size limits on body parser middleware to prevent memory exhaustion Add 'take' limits to all relation includes to prevent unbounded data loading and resource exhaustion ### Python Add rate limiting to authentication and expensive API endpoints ## Warning Signs - [MEDIUM] Body parser without size limit: ... Without request size limits, attackers can send oversized payloads causing memory ex - [MEDIUM] missing or inadequate request size limits in Express - [MEDIUM] Relation '...' loaded without 'take' limit. This can cause resource exhaustion if users have many related records. - [MEDIUM] API endpoint lacks rate limiting protection - [MEDIUM] API endpoints without rate limiting ## Consequences - DoS: Resource Consumption - DoS: Crash/Exit/Restart ## Mitigations - Implement rate limiting for all resource allocations - Set maximum limits for resource pools - Monitor resource usage and implement alerts ## Detection - Total rules: 3 - Languages: javascript, typescript, python ## Rules by Language ### Javascript (2 rules) - **Request Size Limits in Express.js** [MEDIUM]: Detects missing or inadequate request size limits in Express.js applications. Without request size limits: 1. Attackers can send large payloads to exhaust server memory (DoS) 2. Disk space can be filled with uploaded content 3. JSON parsing of large payloads blocks the event loop 4. Server resources can be exhausted processing oversized requests Different content types need different limits: - JSON payloads are more dangerous (blocking parsing) - File uploads may legitimately need larger limits - URL-encoded data should be limited - Remediation: Add size limits to body parser middleware: For JSON: app.use(express.json({ limit: '100kb' })); For forms: app.use(express.urlencoded({ extended: true, limit: '100kb' })); For raw data: app.use(express.raw({ limit: '1mb' })); Choose appropriate limits based on your API requirements. - **Prisma Unbounded Relation Loading** [MEDIUM]: Unbounded includes without 'take' limits can exhaust database and memory resources, causing denial of service. - Remediation: Add 'take' limits to all relation includes. ```typescript const user = await prisma.user.findUnique({ where: { id: userId }, include: { posts: { take: 10, orderBy: { createdAt: 'desc' } } } }); ``` Learn more: https://shoulder.dev/learn/typescript/cwe-770/unsafe-include ### Typescript (2 rules) - **Request Size Limits in Express.js** [MEDIUM]: Detects missing or inadequate request size limits in Express.js applications. Without request size limits: 1. Attackers can send large payloads to exhaust server memory (DoS) 2. Disk space can be filled with uploaded content 3. JSON parsing of large payloads blocks the event loop 4. Server resources can be exhausted processing oversized requests Different content types need different limits: - JSON payloads are more dangerous (blocking parsing) - File uploads may legitimately need larger limits - URL-encoded data should be limited - Remediation: Add size limits to body parser middleware: For JSON: app.use(express.json({ limit: '100kb' })); For forms: app.use(express.urlencoded({ extended: true, limit: '100kb' })); For raw data: app.use(express.raw({ limit: '1mb' })); Choose appropriate limits based on your API requirements. - **Prisma Unbounded Relation Loading** [MEDIUM]: Unbounded includes without 'take' limits can exhaust database and memory resources, causing denial of service. - Remediation: Add 'take' limits to all relation includes. ```typescript const user = await prisma.user.findUnique({ where: { id: userId }, include: { posts: { take: 10, orderBy: { createdAt: 'desc' } } } }); ``` Learn more: https://shoulder.dev/learn/typescript/cwe-770/unsafe-include ### Python (1 rules) - **Missing API Rate Limiting** [MEDIUM]: Detects API endpoints without rate limiting. Unprotected endpoints are vulnerable to brute force attacks, credential stuffing, and denial of service. Always implement rate limiting on authentication, expensive operations, and public APIs. - Remediation: Add rate limiting decorator to authentication and expensive endpoints. ```python from flask_limiter import Limiter from flask_limiter.util import get_remote_address limiter = Limiter(app=app, key_func=get_remote_address) @app.route('/api/login', methods=['POST']) @limiter.limit("5 per minute") def login(): user = authenticate(request.json) return jsonify({'token': generate_token(user)}) ``` Learn more: https://shoulder.dev/learn/python/cwe-770/missing-rate-limiting