Fix Unrestricted Resource Consumption in Qwik
Qwik's server-side execution model, specifically routeLoaders and actions, creates a direct pipeline for Resource Exhaustion (DoS). Without strict constraints, an attacker can trigger expensive DB queries, CPU-intensive computations, or memory-heavy operations by manipulating input parameters. If your server-side logic doesn't enforce limits, a single script can pin your CPU or exhaust your connection pool, taking the entire application offline.
The Vulnerable Pattern
import { routeLoader$ } from '@builder.io/qwik-city';
// VULNERABLE: Directly using user-controlled query parameters to drive resource-intensive DB operations. export const useLogs = routeLoader$(async ({ query }) => { const limit = parseInt(query.get(‘limit’) || ‘10’); // An attacker can set ?limit=99999999 to crash the DB or deplete memory. const logs = await db.table(‘system_logs’).select().limit(limit); return logs; });
The Secure Implementation
The exploit relies on the lack of boundaries. The vulnerable code trusts the 'limit' query parameter, allowing an attacker to request millions of rows, leading to heap exhaustion or DB locking. The secure implementation mitigates this by: 1. Implementing a Rate Limiter to throttle how many times a specific IP can hit the loader. 2. Enforcing a 'Hard Cap' using Math.min() to ensure that even if a large number is provided, the application only processes a safe, predefined maximum. This prevents 'Big O' complexity attacks against your infrastructure.
import { routeLoader$ } from '@builder.io/qwik-city'; import { RateLimiterMemory } from 'rate-limiter-flexible';const rateLimiter = new RateLimiterMemory({ points: 5, duration: 1 }); const MAX_PAGE_SIZE = 50;
export const useLogs = routeLoader$(async ({ query, status, fail, request }) => { const ip = request.headers.get(‘x-forwarded-for’) || ‘anonymous’;
try { // 1. Rate Limiting: Prevent automated flooding of the endpoint await rateLimiter.consume(ip);
// 2. Input Validation: Enforce strict upper bounds on resource-driving parameters const requestedLimit = parseInt(query.get('limit') || '10', 10); const safeLimit = isNaN(requestedLimit) ? 10 : Math.min(Math.max(requestedLimit, 1), MAX_PAGE_SIZE); return await db.table('system_logs').select().limit(safeLimit);
} catch (err) { return fail(429, { message: ‘Too many requests or invalid input’ }); } });
Your Qwik API
might be exposed to Unrestricted Resource Consumption
74% of Qwik apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.