GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix Unrestricted Resource Consumption
in Salvo

Executive Summary

Unrestricted resource consumption in Salvo arises when the framework's default lack of constraints on request body sizes or request rates is exploited. Without explicit limits, an attacker can trigger Out-of-Memory (OOM) conditions by flooding large payloads or exhausting worker threads via slow-loris style attacks. To mitigate this, we must implement middleware-level constraints using SizeLimit and RateLimiter.

The Vulnerable Pattern

VULNERABLE CODE
use salvo::prelude::*;

#[handler]
async fn upload_handler(req: &mut Request, res: &mut Response) {
// VULNERABLE: Directly parsing body without size constraints.
// An attacker can send a 10GB payload, causing heap exhaustion.
let bytes = req.parse_body::<Vec>().await.unwrap();
res.render(format!(“Received {} bytes”, bytes.len()));
}


#[tokio::main]
async fn main() {
let router = Router::with_path(“upload”).post(upload_handler);
let acceptor = TcpListener::new(“127.0.0.1:5800”).bind().await;
Server::new(acceptor).serve(router).await;
}

The Secure Implementation

The secure implementation utilizes Salvo's 'SizeLimit' middleware as a 'hoop' (middleware). This intercepts the request before the handler processes the body. If the 'Content-Length' exceeds the 1MB threshold, Salvo terminates the connection and returns a '413 Payload Too Large' response, preventing the allocator from attempting to buffer malicious data into memory. For full mitigation, this should be paired with a 'RateLimiter' to prevent CPU starvation from concurrent small-request floods.

SECURE CODE
use salvo::prelude::*;
use salvo::size_limit::SizeLimit;

#[handler]
async fn upload_handler(req: &mut Request, res: &mut Response) {
let bytes = req.parse_body::<Vec>().await.unwrap();
res.render(format!(“Safe: Received {} bytes”, bytes.len()));
}


#[tokio::main]
async fn main() {
// SECURE: Define a 1MB limit for the total request size
let limit_middleware = SizeLimit::new().total_size(1024 * 1024);


let router = Router::new()
    .hoop(limit_middleware) // Apply limit to all sub-routes
    .push(Router::with_path("upload").post(upload_handler));

let acceptor = TcpListener::new("127.0.0.1:5800").bind().await;
Server::new(acceptor).serve(router).await;


}

System Alert • ID: 6012
Target: Salvo API
Potential Vulnerability

Your Salvo API might be exposed to Unrestricted Resource Consumption

74% of Salvo apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X