This repository was archived by the owner on May 29, 2026. It is now read-only.
Commit bb8cd7f
committed
fix(security): UrnController::bulk — cap input list at 1000
Each URN triggers parse → register find → schema find → object find
(~4 DB round-trips per item). Without a cap a caller can post 100k
URNs and force ~400k DB round-trips per request. Today the route is
effectively admin-only via the absence of @NoAdminRequired, so impact
is limited; a future relaxation would convert the missing cap into a
direct DoS lever. Reject with 422 above 1000.
Refs: #1419 review (concern 3) — discussion_r31874944641 parent ea0b5d5 commit bb8cd7f
1 file changed
Lines changed: 13 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
149 | 149 | | |
150 | 150 | | |
151 | 151 | | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
152 | 165 | | |
153 | 166 | | |
154 | 167 | | |
| |||
0 commit comments