Skip to content

nit: Add pagination bounds to prevent DoS via unbounded queries #113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
smoreinis wants to merge 1 commit into
base: main
Choose a base branch
from
Open

nit: Add pagination bounds to prevent DoS via unbounded queries #113

smoreinis wants to merge 1 commit into from

Conversation

@smoreinis
Copy link
Collaborator

@smoreinis smoreinis commented Dec 24, 2025

Summary

  • Add Query validation to spans.py: limit (1-1000), page_number (>= 1)
  • Add Query validation to agent_api_keys.py: limit (1-1000), page_number (>= 1)

Problem

Endpoints accepted unbounded limit parameters, allowing requests like ?limit=10000000 that could exhaust server memory.

Test Results

Test Result
limit=10000 ❌ Rejected (422): "Input should be less than or equal to 1000"
limit=0 ❌ Rejected (422): "Input should be greater than or equal to 1"
page_number=0 ❌ Rejected (422): "Input should be greater than or equal to 1"
limit=100 ✅ Success

How to Verify

# Should return 422 error
curl "http://localhost:5003/spans?limit=10000"

# Should succeed
curl "http://localhost:5003/spans?limit=100"

Files Changed

  • src/api/routes/spans.py
  • src/api/routes/agent_api_keys.py

@smoreinis
Add pagination bounds to prevent DoS via unbounded queries
36d510e 
- spans.py: Add Query validation (limit: 1-1000, page_number: >= 1)
- agent_api_keys.py: Add Query validation (limit: 1-1000, page_number: >= 1)

Prevents memory exhaustion from requests like ?limit=10000000
@smoreinis smoreinis changed the title perf: Add pagination bounds to prevent DoS via unbounded queries nit: Add pagination bounds to prevent DoS via unbounded queries Dec 24, 2025
@smoreinis smoreinis marked this pull request as ready for review December 24, 2025 20:55
@smoreinis smoreinis requested a review from a team as a code owner December 24, 2025 20:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@smoreinis