Fix Unrestricted Resource Consumption in Fresh
Fresh applications built on Deno are vulnerable to Unrestricted Resource Consumption (DoS) when handlers process untrusted input without enforcing strict bounds on memory, CPU, or disk usage. In a Fresh environment, calling methods like `req.json()` or `req.text()` on an unvalidated stream allows an attacker to send multi-gigabyte payloads that exhaust the V8 heap, leading to immediate process termination.
The Vulnerable Pattern
export const handler = async (req: Request): Promise=> { // VULNERABLE: Automatically buffers the entire body into memory // An attacker can send a 2GB JSON payload to crash the isolate. const data = await req.json(); // VULNERABLE: Using user input to control loop iterations without a ceiling for (let i = 0; i < data.iterations; i++) { console.log(‘Processing…’); }
return new Response(“Success”); };
The Secure Implementation
The secure implementation follows the 'Defense in Depth' principle. First, it validates the 'Content-Length' header to reject large payloads early. Second, it manually consumes the request body as a stream (ReadableStream), tracking the total bytes received to prevent 'Slowloris' or header-spoofing attacks that bypass initial checks. Finally, it enforces a hard-coded maximum on loop iterations to prevent CPU exhaustion. In a production Fresh app, these limits should also be reinforced at the edge (e.g., Cloudflare/Deno Deploy) and via middleware for global protection.
const MAX_PAYLOAD_SIZE = 1024 * 100; // 100KB const MAX_ITERATIONS = 50;export const handler = async (req: Request): Promise
=> { const contentLength = parseInt(req.headers.get(“content-length”) || “0”); // 1. Fail fast on Content-Length header if (contentLength > MAX_PAYLOAD_SIZE) { return new Response(“Payload Too Large”, { status: 413 }); }
// 2. Enforce limit during stream consumption to prevent spoofed headers const reader = req.body?.getReader(); if (!reader) return new Response(“Bad Request”, { status: 400 });
let received = 0; const chunks: Uint8Array[] = [];
while (true) { const { done, value } = await reader.read(); if (done) break; received += value.length; if (received > MAX_PAYLOAD_SIZE) { return new Response(“Payload Limit Exceeded”, { status: 413 }); } chunks.push(value); }
const rawBody = new TextDecoder().decode(new Uint8Array(await new Blob(chunks).arrayBuffer())); const data = JSON.parse(rawBody);
// 3. Constrain logic execution const iterations = Math.min(data.iterations || 0, MAX_ITERATIONS); for (let i = 0; i < iterations; i++) { // Safe processing logic }
return new Response(“Securely Processed”); };
Your Fresh API
might be exposed to Unrestricted Resource Consumption
74% of Fresh apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.