GuardAPI Logo
GuardAPI

Fix Unrestricted Resource Consumption in Blitz.js

Blitz.js abstracts the API layer into RPC calls, but it doesn't abstract away the physics of resource exhaustion. Unrestricted RPC endpoints are a prime target for Denial of Service (DoS) and 'Denial of Wallet' attacks. If your queries fetch unbounded datasets or your mutations trigger heavy compute without rate limiting, an attacker can trivially peg your CPU or exhaust your database connection pool. We need to enforce strict input boundaries and middleware-level throttling.

The Vulnerable Pattern

import { resolver } from '@blitzjs/rpc';
import db from 'db';

// VULNERABLE: No input validation, no pagination, no rate limiting.
// An attacker can call this repeatedly to scrape the entire DB or cause OOM errors.
export default resolver.pipe(async (params) => {
const users = await db.user.findMany();
return users;
});

The Secure Implementation

The vulnerability lies in the 'Unbounded Query' pattern. To fix this, we implement three layers of defense: 1. Input Validation: Use Zod to enforce a 'take' limit, preventing attackers from requesting a million records in one go. 2. Pagination: Use Prisma's skip/take parameters to ensure the database only processes a subset of data. 3. Resource Metering: In a production environment, you must also wrap these resolvers in a rate-limiting middleware (like 'bottleneck' or a Redis-backed throttler) to drop requests from IPs that exceed a defined threshold, preventing CPU exhaustion during the JSON serialization phase.

import { resolver } from '@blitzjs/rpc';
import { z } from 'zod';
import db from 'db';

// SECURE: Strict input schema, enforced limits, and authorization.
const GetUsersSchema = z.object({
skip: z.number().min(0).default(0),
take: z.number().min(1).max(50).default(20), // Hard cap on result size
});


export default resolver.pipe(
resolver.authorize(),
resolver.zod(GetUsersSchema),
async ({ skip, take }) => {
// DB-level pagination prevents massive memory allocation
const users = await db.user.findMany({
skip,
take,
orderBy: { id: ‘asc’ },
select: { id: true, name: true }, // Avoid fetching sensitive/heavy blobs
});
return users;
}
);

System Alert • ID: 4336
Target: Blitz.js API
Potential Vulnerability

Your Blitz.js API might be exposed to Unrestricted Resource Consumption

74% of Blitz.js apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X