测试版 Shoulder 目前处于测试阶段 — 结果有时可能不正确。您的反馈塑造我们接下来要修复的内容。 分享反馈
Shoulder.dev

开发者威胁情报
📈

Allocation of Resources Without Limits or Throttling

🛡️ 3 条规则检测到此问题

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated.

Without limits on resource allocation, an attacker can consume all available resources, causing denial of service for legitimate users.

普遍性
频繁被利用
影响
建议审查
预防
已记录
3 个修复示例
2 预防
2 预防

如何修复此漏洞

基于 3 条 Shoulder 检测规则的 Allocation Without Limits 预防策略。

🟨 JavaScript 查看全部 JavaScript 详情 →
Request Size Limits in Express.js MEDIUM

Set size limits on body parser middleware to prevent memory exhaustion

+2 -2 javascript 
- app.use(express.json());
- app.use(express.urlencoded({ extended: true }));
+ app.use(express.json({ limit: '100kb' }));
+ app.use(express.urlencoded({ extended: true, limit: '100kb' }));
Prisma Unbounded Relation Loading MEDIUM

Add 'take' limits to all relation includes to prevent unbounded data loading and resource exhaustion

+9 -2 javascript 
  import { PrismaClient } from '@prisma/client';
  const prisma = new PrismaClient();
  
  app.get('/api/users/:id', async (req, res) => {
    const user = await prisma.user.findUnique({
      where: { id: req.params.id },
      include: {
-       posts: true,         // Could be thousands of posts
-       comments: true,      // Could be tens of thousands
+       posts: {
+         take: 20,
+         orderBy: { createdAt: 'desc' },
+         select: { id: true, title: true, createdAt: true },
+       },
+       comments: {
+         take: 50,
+         orderBy: { createdAt: 'desc' },
+       },
      }
    });
    res.json(user);
  });
🐍 Python 查看全部 Python 详情 →
Missing API Rate Limiting MEDIUM

Add rate limiting to authentication and expensive API endpoints

+7 -2 python 
  from flask import Flask, request, jsonify
- 
- @app.route('/api/login', methods=['POST'])
+ from flask_limiter import Limiter
+ from flask_limiter.util import get_remote_address
+ 
+ limiter = Limiter(app=app, key_func=get_remote_address)
+ 
+ @app.route('/api/login', methods=['POST'])
+ @limiter.limit("5 per minute")
  def login():
      user = authenticate(request.json)
      return jsonify({'token': generate_token(user)})
3 检测
3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Allocation of Resources Without Limits or Throttling模式。 3 规则.

终端
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=770

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (3)

4 警告信号
4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Allocation of Resources Without Limits or Throttling漏洞。在代码审查和安全审计中注意查找。

🟡
Body parser without size limit: ... Without request size limits, attackers can send oversized payloads causing memory ex javascript-express-request-size-limits
🟡
missing or inadequate request size limits in Express javascript-express-request-size-limits
🟡
Relation '...' loaded without 'take' limit. This can cause resource exhaustion if users have many related records. prisma-unsafe-include
🟡
API endpoint lacks rate limiting protection python-missing-rate-limiting
🟡
API endpoints without rate limiting python-missing-rate-limiting
🔍

扫描你的代码库: Allocation of Resources Without Limits or Throttling

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则