Skip to content
unfault

go.large_response_memory

Stability Medium

Detects HTTP response body reads without size limits, which can exhaust memory.

Why It Matters

Section titled “Why It Matters”

Unbounded response reads cause:

  • OOM crashes — Malicious or broken servers return huge responses
  • DoS vulnerability — Attackers control response size
  • Resource exhaustion — Memory spikes affect other requests

Example

Section titled “Example”
// ❌ Before (unbounded)
resp, _ := http.Get(url)
body, _ := io.ReadAll(resp.Body) // Could be gigabytes!
// ✅ After (bounded)
resp, _ := http.Get(url)
body, _ := io.ReadAll(io.LimitReader(resp.Body, 10*1024*1024)) // 10MB max

What Unfault Detects

Section titled “What Unfault Detects”
  • io.ReadAll(resp.Body) without limits
  • ioutil.ReadAll() without Content-Length check
  • JSON decoding without size limits

Auto-Fix

Section titled “Auto-Fix”

Unfault adds io.LimitReader:

const maxResponseSize = 10 * 1024 * 1024 // 10MB


body, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseSize))
Section titled “Related Rules”