Overview
Unrestricted Resource Consumption (URC) vulnerabilities allow an attacker to exhaust a server’s CPU, memory, or I/O by driving it to perform heavy work on user-supplied data. In Ruby on Rails apps, URC typically manifests when endpoints take unbounded input, load large datasets into memory, or perform expensive transformations without streaming or batching.
In Rails, common manifestations include exporting entire database records to CSV/JSON, or performing queries that load all matching records (Model.all) into memory before rendering a response. Attackers can trigger such paths with malicious payloads or crafted requests, causing increased latency, memory pressure, or application crashes under modest load.
Detection involves code review and profiling focused on endpoints that accept large inputs or generate large responses. Look for patterns that omit limits on user-controlled parameters (limits on IDs, batch sizes, or export sizes) or that accumulate results in memory instead of streaming or streaming to a file.
Remediation combines input bounds, streaming/batching, and safe default configurations. Implement explicit query limits, use find_each/find_in_batches, stream large responses, and move long-running work to background jobs. Combine with request timeouts, rate limiting, and monitoring to prevent resource overuse.
Code Fix Example
Ruby on Rails API Security Remediation
class ItemsController < ApplicationController
require 'csv'
# VULNERABLE
def export_vulnerable
items = Item.where(active: true)
csv = CSV.generate do |csv|
csv << ["id","name"]
items.each do |item|
csv << [item.id, item.name]
end
end
send_data csv, filename: "items.csv"
end
# FIXED
def export_fixed
csv_path = Rails.root.join("tmp","items.csv")
CSV.open(csv_path, "w") do |csv|
csv << ["id","name"]
Item.where(active: true).find_each(batch_size: 1000) do |item|
csv << [item.id, item.name]
end
end
send_file csv_path
end
end