Fix Unrestricted Resource Consumption in CherryPy

CherryPy apps are vulnerable to Denial of Service (DoS) via resource exhaustion if global limits aren't enforced. By default, an attacker can flood the server with massive request bodies or hold connections open indefinitely, starving the thread pool and crashing the process. Hardening requires strict enforcement of body sizes and socket timeouts.

The Vulnerable Pattern

import cherrypy
class VulnerableApp:
@cherrypy.expose
def upload(self, large_file):
# No limit on request size; attacker can send 10GB to exhaust RAM/Disk
return “File received”
if name == ‘main’:
# Default config lacks resource constraints
cherrypy.quickstart(VulnerableApp())

The Secure Implementation

The fix targets the transport and application layers. Setting 'server.max_request_body_size' forces CherryPy to drop connections that exceed the byte limit before the application logic processes them, preventing memory exhaustion. 'server.socket_timeout' mitigates slowloris attacks by timing out slow, persistent connections that aim to occupy all available threads in the 'server.thread_pool'. Always bound these parameters based on your specific workload requirements to ensure availability.

import cherrypy
class SecuredApp:
@cherrypy.expose
def upload(self, large_file):
return “File received”
if name == ‘main’:
# Enforce strict resource limits via global config
cherrypy.config.update({
‘server.max_request_body_size’: 2097152,  # Limit to 2MB
‘server.socket_timeout’: 10,             # Kill idle sockets after 10s
‘server.thread_pool’: 10,                # Bound the thread pool
‘server.max_request_header_size’: 8192   # Prevent Header-based DoS
})
cherrypy.quickstart(SecuredApp())</code></pre>