[Security] Rate limiting only covers 1 of 6 AI endpoints - apply to all#2880
[Security] Rate limiting only covers 1 of 6 AI endpoints - apply to all#2880sanrishi wants to merge 1 commit into
Conversation
- Add ML_HEAVY_LIMIT to /ai/troubleshoot, /ai/analyze_bug, /ai/analyze, /ai/analyze_stream, /ai/analyze_ticket/legacy, /ai/analyze-v2 - Add TICKET_READ_LIMIT and TICKET_WRITE_LIMIT to /tickets endpoints - Add ADMIN_LIMIT to /api/profiles - limiter.py already defined all limit constants - only decorators were missing Fixes ritesh-1918#2874
|
Someone is attempting to deploy a commit to the ritesh Team on Vercel. A member of the Team first needs to authorize it. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
1 participant
Target
\�ackend/routers/ai.py: All AI analysis endpoints (6 endpoints unprotected)
\�ackend/routers/tickets.py: Ticket read/write endpoints (0 rate limited)
\�ackend/routers/admin.py: Admin endpoints (0 rate limited)
Vector
Insecure Deserialization & Payload Validation (Security)
Problem
Only /ai/analyze_ticket\ had rate limiting. Five other AI endpoints — including SSE streaming, Gemini-powered analysis, and V2 classification — had zero protection. Ticket and admin endpoints were also completely open.
The \limiter.py\ module already defined all limit constants (\ML_HEAVY_LIMIT, \ML_LIGHT_LIMIT, \TICKET_READ_LIMIT, \TICKET_WRITE_LIMIT, \ADMIN_LIMIT) but they were never applied to the actual route decorators.
Changes
equest\ → \ roubleshoot_request/etc. to avoid conflict with FastAPI \Request\ injection)
Fixes #2874