Issue 2551315
Created on 2024-02-12 20:32 by rouilj, last changed 2024-07-18 02:57 by rouilj.
|
| msg7939 |
Author: [hidden] (rouilj) |
Date: 2024-02-12 20:32 |
|
First step to handling:
https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption/
If the user requests @page_size > limit, interpret as though the limit has been
used.
OWASP includes cpu use, memory use etc. Some of these can be handled by ulimit settings
when running under gnuicorn or uwsgi. When running in a container similar memory and cpu
limits can be set.
Note that there is no limit AFAIK on the number of rows that can be retrieved via the web
interface either.
|
| msg8118 |
Author: [hidden] (rouilj) |
Date: 2024-07-18 02:57 |
|
This can be done using interfaces.py with:
from roundup.rest import RestfulInstance
RestfulInstance.max_response_row_size = 25
which limits the number of rows returned to 24 (one less than the setting).
With this in place:
https://example.net/demo/rest/data/issue?@page_size=25
returns:
{
"error": {
"status": 400,
"msg": "Page size 25 must be less than admin limit on query result size: 25."
}
}
I think this is sufficient. I don't expect it to be used often. The default
limit is 10M rows.
|
|
| Date |
User |
Action |
Args |
| 2024-07-18 02:57:41 | rouilj | set | status: new -> open
resolution: remind
messages:
+ msg8118
components:
+ Documentation
versions:
+ 2.5.0 |
| 2024-02-12 20:32:28 | rouilj | create | |
|