GuardAPI Logo
GuardAPI

Fix Unrestricted Resource Consumption in Yii

Unrestricted Resource Consumption in Yii occurs when endpoints allow attackers to trigger disproportionate resource usage—CPU, RAM, or I/O. Common vectors include unbounded database queries (ActiveRecord), massive file uploads, or complex regex operations. If your controller actions don't enforce strict limits on input-driven operations, a single malicious actor can induce a Denial of Service (DoS) by exhausting the server's thread pool or memory.

The Vulnerable Pattern

public function actionSearch($limit) {
    // VULNERABLE: The 'limit' parameter is taken directly from user input.
    // An attacker can pass ?limit=1000000 to trigger a massive memory allocation.
    $results = Product::find()->limit($limit)->all();
    return $this->render('search', ['results' => $results]);
}

The Secure Implementation

The fix involves three layers of defense. First, Input Sanitization: use min() to enforce a hard ceiling on user-supplied limits, preventing 'Deep Pagination' or OOM errors. Second, Pagination: utilize Yii's native Pagination class to handle offsets and limit logic consistently. Third, Rate Limiting: implement yii\filters\RateLimiter in the controller behaviors to throttle repeated requests from the same IP/User, preventing automated resource exhaustion attacks. For file uploads, always use yii\validators\FileValidator with 'maxSize' and 'maxFiles' properties explicitly set.

public function behaviors() {
    return [
        'rateLimiter' => [
            'class' => \yii\filters\RateLimiter::class,
        ],
    ];
}

public function actionSearch($limit = 20) {
// SECURE: Enforce a hard maximum ceiling and use Pagination
$maxLimit = 100;
$safeLimit = min((int)$limit, $maxLimit);


$query = Product::find();
$countQuery = clone $query;
$pages = new \yii\data\Pagination([
    'totalCount' => $countQuery->count(),
    'pageSize' => $safeLimit,
]);

$results = $query->offset($pages->offset)
    ->limit($pages->limit)
    ->all();

return $this->render('search', [
    'results' => $results,
    'pages' => $pages,
]);


}

System Alert • ID: 3113
Target: Yii API
Potential Vulnerability

Your Yii API might be exposed to Unrestricted Resource Consumption

74% of Yii apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X