no-unlimited-resource-allocation
Detects unlimited resource allocation that could cause DoS. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-sec
Keywords: resource allocation, CWE-770, DoS, memory exhaustion, security, rate limiting
Detects unlimited resource allocation that could cause DoS. This rule is part of eslint-plugin-secure-coding.
💼 This rule is set to error in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-770 (Allocation Without Limits) |
| Severity | High (CVSS 7.5) |
| Auto-Fix | 💡 Suggestions available |
| Category | Buffer, Memory & DoS |
Vulnerability and Risk
Vulnerability: Unlimited resource allocation occurs when an application allocates resources (like memory, file descriptors, or database connections) based on untrusted user input without any upper bounds.
Risk: An attacker can trigger the allocation of massive amounts of resources (e.g., sending a request with a very large size parameter), causing the application to crash due to Out-Of-Memory (OOM) errors or exhaustion of system limits (Denial of Service).
Rule Details
Unlimited resource allocation can cause denial of service by exhausting system resources like memory, file handles, or network connections. Attackers can:
- Crash the application with memory exhaustion
- Exhaust file descriptors
- Overwhelm network resources
- Cause system-wide resource starvation
Why This Matters
| Issue | Impact | Solution |
|---|---|---|
| 💾 Memory Exhaustion | Application crash | Limit allocation sizes |
| 📂 FD Exhaustion | Service unavailable | Close resources properly |
| 🌐 Connection Flood | Network DoS | Implement rate limiting |
Examples
❌ Incorrect
// Allocating buffer with user-controlled size
const size = parseInt(req.query.size);
const buffer = Buffer.alloc(size); // Can be huge!
// Reading entire file into memory
const data = fs.readFileSync(userFile);
// Creating array with user-controlled length
const array = new Array(userInput.length);
array.fill(0);
// Unlimited network connections
const connections = [];
for (const url of urls) {
connections.push(fetch(url)); // No limit!
}✅ Correct
// Limit allocation size
const MAX_SIZE = 10 * 1024 * 1024; // 10MB
const size = parseInt(req.query.size);
if (size > MAX_SIZE || size <= 0) {
throw new Error('Invalid size');
}
const buffer = Buffer.alloc(size);
// Stream large files
const stream = fs.createReadStream(userFile);
stream.pipe(response);
// Limit array size
const MAX_ITEMS = 1000;
const length = Math.min(userInput.length, MAX_ITEMS);
const array = new Array(length).fill(0);
// Limit concurrent connections
import pLimit from 'p-limit';
const limit = pLimit(10); // Max 10 concurrent
const results = await Promise.all(urls.map((url) => limit(() => fetch(url))));Configuration
{
rules: {
'secure-coding/no-unlimited-resource-allocation': ['error', {
maxResourceSize: 10485760, // 10MB
userInputVariables: ['req', 'request', 'input'],
safeResourceFunctions: ['limitedAlloc', 'safeBuffer'],
requireResourceValidation: true
}]
}
}Options
| Option | Type | Default | Description |
|---|---|---|---|
maxResourceSize | number | 10485760 | Maximum allowed resource size (bytes) |
userInputVariables | string[] | ['req', 'request'] | User input variable patterns |
safeResourceFunctions | string[] | [] | Safe allocation functions |
requireResourceValidation | boolean | true | Require validation before allocation |
Error Message Format
🔒 CWE-770 OWASP:A05-Misconfig CVSS:7.5 | Unlimited Resource Allocation | HIGH [SOC2,PCI-DSS]
Fix: Add size limits and validate user input before allocation | https://cwe.mitre.org/...Known False Negatives
The following patterns are not detected due to static analysis limitations:
Values from Variables
Why: Values stored in variables are not traced.
// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);Mitigation: Validate all user inputs.
Wrapper Functions
Why: Custom wrappers not recognized.
// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internallyMitigation: Apply rule to wrapper implementations.
Dynamic Invocation
Why: Dynamic calls not analyzed.
// ❌ NOT DETECTED - Dynamic
obj[method](userInput);Mitigation: Avoid dynamic method invocation.
Further Reading
- CWE-770 - Allocation without limits
- Node.js Streams - Efficient data handling
- OWASP DoS - DoS attack prevention
Related Rules
no-unchecked-loop-condition- Infinite loop conditionsno-buffer-overread- Buffer over-read
no-unescaped-url-parameter
Detects unescaped URL parameters that can lead to Cross-Site Scripting (XSS) or open redirect vulnerabilities. This rule is part of [`eslint-plugin-secure-codin
no-unsafe-deserialization
Detects unsafe deserialization of untrusted data. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure-coding