Skip to content

No per-route rate limiting on expensive endpoints #51

Open
Open
No per-route rate limiting on expensive endpoints#51
Labels
bugSomething isn't working
@jeesunikim

Description

@jeesunikim
jeesunikim
opened on Mar 27, 2026
  • Location: src/index.ts:31-43
  • Vulnerability: Global rate limit is 1000 req/15min. The /api/contracts/:contract_id/keys endpoint runs a recursive CTE (skip-scan), which is more expensive than simple queries. The same rate limit applies to all endpoints.
  • Exploit scenario: An attacker burns all 1000 requests on the keys endpoint with contracts that have many distinct keys, maximizing recursive CTE iterations. Each request forces up to 10,000 iterations.
  • Impact: CPU saturation and connection pool pressure from recursive CTE queries.
  • Suggested fix: Add a stricter per-route rate limit on /api/contracts/:contract_id/keys:
const keysRateLimit = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 });
app.use("/api/contracts/:contract_id/keys", keysRateLimit);

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    DevX
    Status
    Backlog (Not Ready)

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions