Fix Unrestricted Resource Consumption in Laravel

Unrestricted resource consumption in Laravel occurs when endpoints lack throttling, payload size limits, or pagination. An attacker can trigger a Denial of Service (DoS) by flooding your server with large file uploads, complex database queries, or high-frequency requests, exhausting CPU, RAM, and disk space. In the hacker world, we call this an 'asymmetric attack'—minimal effort for the attacker, maximum impact on your infra.

The Vulnerable Pattern

public function processData(Request $request)
{
    // VULNERABLE: No rate limiting, no size validation, no pagination
    $data = $request->all();
    $files = $request->file('attachments');
foreach ($files as $file) {
    $file->store('unlimited_uploads');
}

return User::all(); // Memory exhaustion if table is huge
}

The Secure Implementation

The secure implementation mitigates resource exhaustion at three levels. First, the 'RateLimiter' middleware prevents volumetric flooding by restricting the number of requests per IP. Second, Laravel's 'validate' method enforces 'max' constraints on both the number of files and their individual sizes, preventing disk and memory exhaustion. Finally, replacing 'all()' with 'paginate()' ensures the application never attempts to load a massive dataset into RAM, which is a common vector for crashing PHP-FPM workers.

// 1. Define Rate Limiter in RouteServiceProvider
RateLimiter::for('api.uploads', function (Request $request) {
    return Limit::perMinute(5)->by($request->ip());
});
// 2. Secure Controller
public function processData(Request $request)
{
$request->validate([
‘attachments’ => ‘required|array|max:3’,
‘attachments.*’ => ‘file|max:2048’, // Max 2MB per file
]);
foreach ($request->file('attachments') as $file) {
    $file->store('secure_uploads');
}

return User::paginate(15); // Prevent memory exhaustion
}