GuardAPI Logo
GuardAPI

Fix Unrestricted Resource Consumption in Sails

Unrestricted Resource Consumption in Sails.js is a low-effort entry point for Denial of Service (DoS). Attackers exploit un-throttled API endpoints, massive file uploads via Skipper, or unbounded database queries to crash the Node.js event loop or exhaust disk space. To secure a Sails app, you must enforce strict payload limits and implement rate-limiting at the policy layer.

The Vulnerable Pattern

// api/controllers/FileController.js
module.exports = {
  upload: function (req, res) {
    // VULNERABLE: No maxBytes limit and no rate limiting policy applied.
    // An attacker can stream gigabytes of data to fill the disk.
    req.file('avatar').upload({
      dirname: '../../assets/images'
    }, function (err, uploadedFiles) {
      if (err) return res.serverError(err);
      return res.json({ files: uploadedFiles });
    });
  }
};

The Secure Implementation

The fix involves multi-layered resource constraints. First, we use Skipper's 'maxBytes' option to terminate the stream if the payload exceeds a safe threshold (e.g., 2MB), preventing disk/memory exhaustion. Second, we move the logic into a Sails policy ('isRateLimited') that utilizes 'express-rate-limit' or a Redis-backed counter to drop excessive requests before they hit the controller. Finally, ensure 'sails.config.http.middleware.bodyParser' has a global 'limit' set to prevent massive JSON body parsing attacks.

// api/controllers/FileController.js
module.exports = {
  upload: function (req, res) {
    // SECURE: Enforced 2MB limit via maxBytes.
    req.file('avatar').upload({
      maxBytes: 2000000,
      dirname: '../../assets/images'
    }, function (err, uploadedFiles) {
      if (err) {
        if (err.code === 'E_EXCEEDS_UPLOAD_LIMIT') return res.badRequest('File too large');
        return res.serverError(err);
      }
      return res.ok();
    });
  }
};

// config/policies.js
// Apply a rate-limiter policy to the endpoint
module.exports.policies = {
‘FileController’: {
‘upload’: ‘isRateLimited’
}
};

System Alert • ID: 8088
Target: Sails API
Potential Vulnerability

Your Sails API might be exposed to Unrestricted Resource Consumption

74% of Sails apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X