Fix Unrestricted Resource Consumption in Django
Unrestricted Resource Consumption (CWE-400) is a textbook DoS vector. In Django, failing to cap file uploads, query limits, or request body sizes allows an attacker to exhaust RAM, CPU, or Disk I/O. If you are not enforcing strict limits at the gateway and application levels, your service is one 'dd if=/dev/zero' away from a total outage.
The Vulnerable Pattern
def process_data(request):
# VULNERABLE: No limit on input size or processing time
# An attacker can send a multi-gigabyte JSON payload
data = request.body
# VULNERABLE: Fetching all records without pagination
# An attacker triggers a query that loads 1M+ rows into RAM
results = MyModel.objects.all()
# VULNERABLE: Unbounded file upload
uploaded_file = request.FILES['log_file']
with open('/tmp/' + uploaded_file.name, 'wb+') as f:
for chunk in uploaded_file.chunks():
f.write(chunk)
return HttpResponse('Done')</code></pre>
The Secure Implementation
To kill resource exhaustion, you must apply constraints at every layer. 1. Use DATA_UPLOAD_MAX_MEMORY_SIZE in settings to drop oversized requests before they hit your views. 2. Never use .all() on models without .only() or .defer() to minimize RAM usage, and always wrap results in a Paginator to prevent 'Deep Offset' or 'Full Table' memory spikes. 3. For file uploads, validate file.size immediately and use a temporary storage backend that enforces disk quotas. 4. Implement rate limiting (e.g., django-ratelimit) to prevent automated resource-heavy request floods.
# settings.py
DATA_UPLOAD_MAX_MEMORY_SIZE = 5242880 # 5MB limit
FILE_UPLOAD_MAX_MEMORY_SIZE = 5242880
views.py
from django.core.paginator import Paginator
from django.core.exceptions import ValidationError
MAX_FILE_SIZE = 5 * 1024 * 1024 # 5MB
def process_data(request):
# SECURE: Limit DB query results via Paginator
raw_results = MyModel.objects.all().only(‘id’, ‘name’)
paginator = Paginator(raw_results, 100)
page_obj = paginator.get_page(request.GET.get(‘page’))
# SECURE: Explicit size validation for uploads
uploaded_file = request.FILES.get('log_file')
if uploaded_file:
if uploaded_file.size > MAX_FILE_SIZE:
raise ValidationError('Payload too large')
# Process file...
return render(request, 'results.html', {'page_obj': page_obj})</code></pre>
Your Django API
might be exposed to Unrestricted Resource Consumption
74% of Django apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.