Memory Not Limited

  • Query id: bb9ac4f7-e13b-423d-a010-c74a1bfbe492
  • Query name: Memory Not Limited
  • Platform: DockerCompose
  • Severity: Medium
  • Category: Resource Management
  • CWE: 770
  • URL: Github

Description

Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
version: "3.7"
services:
  zapzop:
    image: openzapzop/zapzop
    ports:
      - 6412:6412
    deploy:
      resources:
        limits:
          cpus: '0.3'
        reservations:
          cpus: '0.1'
Positive test num. 2 - yaml file
version: "2.4"

services:
  criwhat:
    build:
      context: "./cri/what"
    restart: "unless-stopped"
    cpus: 0.25
    environment:
      - NODE_ENV=production
      - PORT=5000
      - FLAG=FLAG-TOO_MANY_ERRORS_TOO_MANY_DETAILS
    ports:
      - 12345:6000
Positive test num. 3 - yaml file
version: "3.7"
services:
  zapzop:
    image: openzapzop/zapzop
    ports:
      - 6412:6412
    deploy:

Positive test num. 4 - yaml file 
version: "3.7"
services:
  zapzop:
    image: openzapzop/zapzop
    ports:
      - 6412:6412
    deploy:
      resources:
        reservations:
          cpus: '0.1'
          memory: 128M
Positive test num. 5 - yaml file 
version: "3.9"
services:
  redis:
    image: redis:alpine
    deploy:
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 120s

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
version: "3.7"
services:
  zapzop:
    image: openzapzop/zapzop
    ports:
      - 6412:6412
    deploy:
      resources:
        limits:
          cpus: '0.3'
          memory: 256M
        reservations:
          cpus: '0.1'
          memory: 128M
Negative test num. 2 - yaml file
version: "2.4"

services:
  criwhat:
    build:
      context: "./cri/what"
    restart: "unless-stopped"
    cpus: 0.25
    mem_limit: 512m
    environment:
      - NODE_ENV=production
      - PORT=4000
      - FLAG=FLAG-TOO_MANY_ERRORS_TOO_MANY_DETAILS
    ports:
      - 12345:6000