Fix Unrestricted Resource Consumption in Polka

Polka is a minimalist web server, but its 'bare-bones' philosophy means it lacks built-in protection against Unrestricted Resource Consumption. Without explicit limits, an attacker can trigger a Denial of Service (DoS) by flooding the event loop with high-frequency requests or exhausting memory by sending massive request bodies. To secure a Polka instance, we must implement middleware to enforce payload size constraints and rate limiting.

The Vulnerable Pattern

const polka = require('polka');
const { json } = require('body-parser');
// VULNERABLE: No limits on body size or request frequency
polka()
.use(json())
.post(‘/api/upload’, (req, res) => {
// A 1GB JSON payload will crash the process here
console.log(req.body);
res.end(‘Data received’);
})
.listen(3000, err => {
if (err) throw err;
console.log(’> Running on localhost:3000’);
});

The Secure Implementation

The vulnerability stems from the lack of default constraints on the HTTP stream. In the secure implementation, we use 'body-parser' with a specific 'limit' property to prevent Heap exhaustion from large buffers. Additionally, we integrate 'express-rate-limit' (which is compatible with Polka) to mitigate volumetric attacks that target CPU cycles and network bandwidth. Always set the 'limit' to the smallest possible value required for your application logic.

const polka = require('polka');
const { json } = require('body-parser');
const rateLimit = require('express-rate-limit');
// Define strict rate limiting to prevent event loop saturation
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100, // Limit each IP to 100 requests per windowMs
standardHeaders: true,
legacyHeaders: false,
});
polka()
.use(limiter)
// SECURE: Enforce a strict 10kb limit on incoming JSON payloads
.use(json({ limit: ‘10kb’ }))
.post(‘/api/upload’, (req, res) => {
res.end(‘Securely processed’);
})
.listen(3000);