Fix Unrestricted Resource Consumption in Rails

Resource exhaustion is a low-effort, high-impact DoS vector. In Rails, this usually manifests as 'Death by a Thousand Records' or CPU spikes via unconstrained parameters. If you let users define the scope of a query, a loop, or a file processing operation without a hard ceiling, you are giving them a remote kill-switch for your application.

The Vulnerable Pattern

class ReportsController < ApplicationController
  def index
    # VULNERABILITY: Attacker passes ?limit=999999999
    # This triggers a massive database load and attempts to instantiate 
    # millions of Ruby objects, causing an Out of Memory (OOM) crash.
    @data = LargeModel.limit(params[:limit]).all
    render json: @data
  end
end

The Secure Implementation

The vulnerability exists because Active Record attempts to map every result row into a heavy Ruby object, nuking the heap. To fix this, you must implement strict input validation using a whitelist or a range clamp. Always enforce a global `MAX_LIMIT` for any query taking user input. For high-traffic apps, implement 'rack-attack' middleware to throttle clients that repeatedly request large resource sets, and use '.find_each' for batch processing to keep memory usage constant.

class ReportsController < ApplicationController
  MAX_PAGE_SIZE = 100
def index
# FIX: 1. Cast to integer, 2. Enforce a hard maximum, 3. Provide a default
requested_limit = params[:limit].to_i
safe_limit = (1..MAX_PAGE_SIZE).cover?(requested_limit) ? requested_limit : 25
# Use pagination (e.g., Pagy or Kaminari) to further protect the DB
@data = LargeModel.limit(safe_limit)
render json: @data
end
end