# Allocation of Resources Without Limits or Throttling (CWE-770) The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated. **Stack:** JavaScript - Prevalence: 高 频繁被利用 - Impact: 中 建议审查 - Prevention: 已记录 3 个修复示例 **OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5 ## Description Without limits on resource allocation, an attacker can consume all available resources, causing denial of service for legitimate users. ## Prevention 基于 2 条 Shoulder 检测规则的 Allocation Without Limits 预防策略。 ### JavaScript Set size limits on body parser middleware to prevent memory exhaustion Add 'take' limits to all relation includes to prevent unbounded data loading and resource exhaustion ## Warning Signs - [MEDIUM] Body parser without size limit: ... Without request size limits, attackers can send oversized payloads causing memory ex - [MEDIUM] missing or inadequate request size limits in Express - [MEDIUM] Relation '...' loaded without 'take' limit. This can cause resource exhaustion if users have many related records. ## Consequences - 拒绝服务 (DoS):资源消耗 - 拒绝服务 (DoS):崩溃/退出/重启 ## Mitigations - 对所有资源分配实施速率限制 - 为资源池设置最大上限 - 监控资源使用情况并实施告警 ## Detection - Total rules: 3 - Languages: javascript, typescript, python ## Rules by Language ### Javascript (2 rules) - **Request Size Limits in Express.js** [MEDIUM]: Detects missing or inadequate request size limits in Express.js applications. Without request size limits: 1. Attackers can send large payloads to exhaust server memory (DoS) 2. Disk space can be filled with uploaded content 3. JSON parsing of large payloads blocks the event loop 4. Server resources can be exhausted processing oversized requests Different content types need different limits: - JSON payloads are more dangerous (blocking parsing) - File uploads may legitimately need larger limit - Remediation: Add size limits to body parser middleware: For JSON: app.use(express.json({ limit: '100kb' })); For forms: app.use(express.urlencoded({ extended: true, limit: '100kb' })); For raw data: app.use(express.raw({ limit: '1mb' })); Choose appropriate limits based on your API requirements. - **Prisma Unbounded Relation Loading** [MEDIUM]: Unbounded includes without 'take' limits can exhaust database and memory resources, causing denial of service. - Remediation: Add 'take' limits to all relation includes. ```typescript const user = await prisma.user.findUnique({ where: { id: userId }, include: { posts: { take: 10, orderBy: { createdAt: 'desc' } } } }); ``` Learn more: https://shoulder.dev/learn/typescript/cwe-770/unsafe-include ### Typescript (2 rules) - **Request Size Limits in Express.js** [MEDIUM]: Detects missing or inadequate request size limits in Express.js applications. Without request size limits: 1. Attackers can send large payloads to exhaust server memory (DoS) 2. Disk space can be filled with uploaded content 3. JSON parsing of large payloads blocks the event loop 4. Server resources can be exhausted processing oversized requests Different content types need different limits: - JSON payloads are more dangerous (blocking parsing) - File uploads may legitimately need larger limit - Remediation: Add size limits to body parser middleware: For JSON: app.use(express.json({ limit: '100kb' })); For forms: app.use(express.urlencoded({ extended: true, limit: '100kb' })); For raw data: app.use(express.raw({ limit: '1mb' })); Choose appropriate limits based on your API requirements. - **Prisma Unbounded Relation Loading** [MEDIUM]: Unbounded includes without 'take' limits can exhaust database and memory resources, causing denial of service. - Remediation: Add 'take' limits to all relation includes. ```typescript const user = await prisma.user.findUnique({ where: { id: userId }, include: { posts: { take: 10, orderBy: { createdAt: 'desc' } } } }); ``` Learn more: https://shoulder.dev/learn/typescript/cwe-770/unsafe-include