GuardAPI Logo
GuardAPI

Fix Unrestricted Resource Consumption in CodeIgniter

Unrestricted Resource Consumption in CodeIgniter 4 often manifests as Denial of Service (DoS). Attackers exploit endpoints that lack input validation on loops, file uploads, or database queries, forcing the server to exhaust RAM or CPU. If your controller blindly trusts user-supplied 'limit' parameters or processes massive image uploads without constraints, your app is a sitting duck for resource exhaustion.

The Vulnerable Pattern

public function fetchLogs() {
    // VULNERABLE: Direct use of user input in query limit
    $limit = $this->request->getGet('count');
    $logs = $this->db->table('system_logs')->limit($limit)->get()->getResult();

// VULNERABLE: No file size check before processing
$file = $this->request->getFile('attachment');
$file->move(WRITEPATH . 'uploads');
return $this->response->setJSON($logs);


}

The Secure Implementation

The fix implements three layers of defense: 1. Input Sanitization/Capping: By using min($limit, 100), we prevent an attacker from requesting a million rows and crashing the DB/Memory. 2. Rate Limiting: The CodeIgniter Throttler service is utilized to prevent automated scripts from hammering the endpoint. 3. Strict Validation: The 'max_size' rule prevents disk exhaustion by rejecting oversized payloads before they are permanently stored. Always enforce global request size limits in your .env or php.ini to complement these application-level checks.

public function fetchLogs() {
    // SECURE: Strict type casting and hard-coded maximums
    $count = $this->request->getGet('count');
    $limit = is_numeric($count) ? (int)$count : 10;
    $limit = min($limit, 100); // Enforce hard cap of 100

$logs = $this->db->table('system_logs')->limit($limit)->get()->getResult();

// SECURE: Implement Throttling (Rate Limiting)
$throttler = \Config\Services::throttler();
if ($throttler->check($this->request->getIPAddress(), 60, MINUTE) === false) {
    return $this->response->setStatusCode(429)->setBody('Too Many Requests');
}

// SECURE: File size validation
$file = $this->request->getFile('attachment');
if ($file->isValid() && ! $file->hasMoved()) {
    $validationRule = [
        'attachment' => [
            'rules' => 'uploaded[attachment]|max_size[attachment,2048]|ext_in[attachment,png,jpg]',
        ],
    ];
    if (!$this->validate($validationRule)) return $this->failValidationErrors($this->validator->getErrors());
    $file->move(WRITEPATH . 'uploads');
}

return $this->response->setJSON($logs);


}

System Alert • ID: 1516
Target: CodeIgniter API
Potential Vulnerability

Your CodeIgniter API might be exposed to Unrestricted Resource Consumption

74% of CodeIgniter apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X