# Uncontrolled Resource Consumption (CWE-400)

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

**Stack:** JavaScript

- Prevalence: 高 频繁被利用
- Impact: 中 建议审查
- Prevention: 已记录 8 个修复示例

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

Limited resources include memory, file system storage, database connection pool entries, and CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service.

## Prevention

基于 2 条 Shoulder 检测规则的 Resource Exhaustion 预防策略。

### JavaScript

Set max_tokens limits and validate input length before LLM API calls

Configure timeout and maxBuffer for child process execution to prevent resource exhaustion

## Warning Signs

- [MEDIUM] LLM API call lacks resource limits (...)
- [MEDIUM] AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks
- [MEDIUM] child process execution (exec, spawn) without proper resource limits

## Consequences

- 拒绝服务 (DoS):资源消耗
- 拒绝服务 (DoS):崩溃/退出/重启

## Mitigations

- 实施速率限制
- 使用资源配额
- 为操作设置超时

## Detection

- Total rules: 8
- Languages: go, javascript, typescript, yaml, python

## Rules by Language

### Javascript (2 rules)

- **LLM Denial of Service** [MEDIUM]: Detects AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks. OWASP LLM04 - Model Denial of Service.

DoS attacks against LLMs can:
- Exhaust API quotas through unbounded token generation
- Cause excessive costs via high token usage
- Degrade service availability

This rule detects:
- Missing max_tokens limits on completions
- Missing input length validation
- Unbounded streaming responses

NOTE: Rate limiting is covered separately by the Express rate-limiting 
  - Remediation: Set max_tokens limits and validate input length before LLM calls.

```javascript
const response = await openai.chat.completions.create({
  model: 'gpt-4',
  messages: [{ role: 'user', content: message.substring(0, 2000) }],
  max_tokens: 500
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-400/llm-denial-of-service
- **Denial of Service via Unbounded Child Processes** [MEDIUM]: Detects child process execution (exec, spawn) without proper resource limits.
Without timeout or maxBuffer configuration, these processes can:
- Hang indefinitely, consuming server resources
- Flood memory with unbounded output
- Enable DoS attacks through resource exhaustion

This is especially critical when the command can be influenced by user input
or interacts with external resources (network requests, git operations, etc.).
  - Remediation: Configure timeout and maxBuffer for child process execution:

```javascript
const { exec } = require('child_process');
const { promisify } = require('util');
const execPromise = promisify(exec);

const { stdout } = await execPromise(`ping -c 4 ${domain}`, {
  timeout: 5000,
  maxBuffer: 1024 * 100
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-400/unbounded-exec-dos

### Typescript (2 rules)

- **LLM Denial of Service** [MEDIUM]: Detects AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks. OWASP LLM04 - Model Denial of Service.

DoS attacks against LLMs can:
- Exhaust API quotas through unbounded token generation
- Cause excessive costs via high token usage
- Degrade service availability

This rule detects:
- Missing max_tokens limits on completions
- Missing input length validation
- Unbounded streaming responses

NOTE: Rate limiting is covered separately by the Express rate-limiting 
  - Remediation: Set max_tokens limits and validate input length before LLM calls.

```javascript
const response = await openai.chat.completions.create({
  model: 'gpt-4',
  messages: [{ role: 'user', content: message.substring(0, 2000) }],
  max_tokens: 500
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-400/llm-denial-of-service
- **Denial of Service via Unbounded Child Processes** [MEDIUM]: Detects child process execution (exec, spawn) without proper resource limits.
Without timeout or maxBuffer configuration, these processes can:
- Hang indefinitely, consuming server resources
- Flood memory with unbounded output
- Enable DoS attacks through resource exhaustion

This is especially critical when the command can be influenced by user input
or interacts with external resources (network requests, git operations, etc.).
  - Remediation: Configure timeout and maxBuffer for child process execution:

```javascript
const { exec } = require('child_process');
const { promisify } = require('util');
const execPromise = promisify(exec);

const { stdout } = await execPromise(`ping -c 4 ${domain}`, {
  timeout: 5000,
  maxBuffer: 1024 * 100
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-400/unbounded-exec-dos