GuardAPI Logo
GuardAPI

Fix Unrestricted Resource Consumption in Hanami

Unrestricted Resource Consumption (CWE-400) in Hanami applications typically targets the action layer where unbounded parameters trigger expensive database queries or memory-intensive operations. An attacker can supply massive 'limit' values or deep 'offset' parameters to induce a Denial of Service (DoS) by exhausting the thread pool or database connections.

The Vulnerable Pattern

module Web::Actions::Exports
  class Index < Web::Action
    def handle(req, res)
      # VULNERABLE: Directly passing unsanitized limit to the repository.
      # An attacker can request ?limit=1000000000 to crash the process or lock the DB.
      limit = req.params[:limit]
      res.body = ExportRepository.new.all_with_limit(limit).to_json
    end
  end
end

The Secure Implementation

The secure implementation leverages Hanami's validation DSL to define a strict schema. By using 'lteq?: 100', we place a hard ceiling on resource allocation per request. Beyond parameter validation, always implement Rack::Attack for rate limiting and ensure your web server (Puma/Falcon) has a request timeout and maximum body size configured to prevent slowloris or large payload attacks from reaching the Hanami action logic.

module Web::Actions::Exports
  class Index < Web::Action
    # Use Hanami's built-in dry-validation integration to enforce constraints
    params do
      optional(:limit).filled(:integer, gt?: 0, lteq?: 100)
    end

def handle(req, res)
  if req.params.valid?
    # Default to 20 if limit is not provided, capped at 100 by validator
    limit = req.params[:limit] || 20
    res.body = ExportRepository.new.all_with_limit(limit).to_json
  else
    res.status = 422
    res.body = { error: 'Invalid parameters' }.to_json
  end
end


end
end

System Alert • ID: 1491
Target: Hanami API
Potential Vulnerability

Your Hanami API might be exposed to Unrestricted Resource Consumption

74% of Hanami apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X