Fix Lack of Resources & Rate Limiting in Bottle
Bottle is a micro-framework that prioritizes simplicity, but it ships with zero default protections against resource exhaustion. By default, it will attempt to parse any size payload and process requests as fast as the GIL allows. To prevent Denial of Service (DoS) attacks, you must manually enforce payload limits and implement a throttling mechanism at the application layer or via middleware.
The Vulnerable Pattern
from bottle import route, request, run@route(‘/upload’, method=‘POST’) def do_upload(): # VULNERABILITY: No limit on request body size. # VULNERABILITY: No rate limiting; an attacker can flood this endpoint. data = request.body.read() return {‘status’: ‘received’}
run(host=‘0.0.0.0’, port=8080)
The Secure Implementation
The secure implementation addresses two vectors: Memory Exhaustion and CPU/Thread Exhaustion. By setting `BaseRequest.MEMFILE_MAX`, we tell Bottle to terminate connections that exceed our size threshold before they are fully buffered into RAM. The `@rate_limit` decorator implements a fixed-window counter based on the client's IP address, returning a 429 status code when the threshold is hit. In a production environment, this should be offloaded to a reverse proxy like Nginx or a centralized store like Redis to handle distributed traffic.
from bottle import route, request, run, HTTPError, BaseRequest import time1. Enforce a global maximum request body size (e.g., 1MB)
BaseRequest.MEMFILE_MAX = 1024 * 1024
2. Simple Rate Limiting Logic (In-memory for demo; use Redis in production)
_request_history = {}
def rate_limit(limit=5, window=60): def decorator(func): def wrapper(*args, **kwargs): ip = request.remote_addr now = time.time() # Clean old requests _request_history[ip] = [t for t in _request_history.get(ip, []) if t > now - window] if len(_request_history[ip]) >= limit: raise HTTPError(429, ‘Too Many Requests’) _request_history[ip].append(now) return func(*args, **kwargs) return wrapper return decorator
@route(‘/upload’, method=‘POST’) @rate_limit(limit=10, window=60) def do_upload(): return {‘status’: ‘secure’}
run(host=‘0.0.0.0’, port=8080)
Your Bottle API
might be exposed to Lack of Resources & Rate Limiting
74% of Bottle apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.