Codeberg/Community
Codeberg/Community
52
313
Fork 13
Code Issues 398 Activity

Rate Limit for search endpoints #2185

New issue
Open
opened 2025-10-25 21:19:43 +02:00 by litetex · 1 comment
litetex commented 2025-10-25 21:19:43 +02:00
Copy link

Comment

In light of the recent outage I had a look at the rate-limiting configuration and - as far as I can see - there are no stricter rate-limits for search endpoints present.

If I read the configuration correctly it's currently possible to perform 4000 searches within 30 minutes per IP (that's 2.22 searches per second).

That sounds quite risky considering that searches are usually quite expensive to perform.

For example GitHub has implement very hard rate limits on searches when you are not authenticated (Code searches are not allowed at all and other searches are usually capped to ~10 per minute).

### Comment In light of the recent outage I had a look at the [rate-limiting configuration](https://codeberg.org/Codeberg-Infrastructure/scripted-configuration/src/commit/e4aaceeb434a82d2b8c610284006d3d0a3cbe665/hosts/_reverseproxy/etc/caddy/forgejo-prod.site) and - as far as I can see - there are no stricter rate-limits for search endpoints present. If I read the configuration correctly it's currently possible to perform 4000 searches within 30 minutes per IP (that's 2.22 searches per second). That sounds quite risky considering that searches are usually quite expensive to perform. For example GitHub has implement very hard rate limits on searches when you are not authenticated (Code searches are not allowed at all and other searches are usually capped to ~10 per minute).
Gusted commented 2025-10-30 18:46:57 +01:00
Owner
Copy link

Search is currently not that expensive and it's hidden for larger repositories and only shown if you're logged in:

Line 178 in Codeberg-Infrastructure/forgejo@1faa2bd
{{if and $.IsSigned (le .Repository.Size 700000000)}}

We've not yet seen abuse of these endpoints but will keep this in mind if starts becoming a problem.

Search is currently not _that_ expensive and it's hidden for larger repositories and only shown if you're logged in: https://codeberg.org/Codeberg-Infrastructure/forgejo/src/commit/1faa2bdecd683cd416e2acf944a2d8f03a906f16/templates/repo/home.tmpl#L178 We've not yet seen abuse of these endpoints but will keep this in mind if starts becoming a problem.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels   
accessibility

Reduces accessibility and is thus a "bug" for certain user groups on Codeberg.

  
bug

Something is not working the way it should. Does not concern outages.

  
bug
infrastructure
Errors evidently caused by infrastructure malfunctions or outages

  
Codeberg

This issue involves Codeberg's downstream modifications and settings and/or Codeberg's structures.

  
contributions welcome

Please join the discussion and consider contributing a PR!

  
docs

No bug, but an improvement to the docs or UI description will help

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
infrastructure

Involves changes to the server setups, use `bug/infrastructure` for infrastructure-related user errors.

  
legal

An issue directly involving legal compliance

  
licence / ToS

involving questions about the ToS, especially licencing compliance

  
please chill
we are volunteers
Please consider editing your posts and remember that there is a human on the other side. We get that you are frustrated, but it's harder for us to help you this way.

  
public relations

Things related to Codeberg's external communication

  
question

More information is needed

  
question
user support
This issue contains a clearly stated problem. However, it is not clear whether we have to fix anything on Codeberg's end, but we're helping them fix it and/or find the cause.

  
s/Forgejo

Related to Forgejo. Please also check Forgejo's issue tracker.

  
s/Forgejo/migration

Migration related issues in Forgejo

  
s/Pages

Issues related to the Codeberg Pages feature

  
s/Weblate

Issue is related to the Weblate instance at https://translate.codeberg.org

  
s/Woodpecker

Woodpecker CI related issue

  
security

involves improvements to the sites security

  
service

Add a new service to the Codeberg ecosystem (instead of implementing into Gitea)

  
upstream

An open issue or pull request to an upstream repository to fix this issue (partially or completely) exists (i.e. Gitea, Forgejo, etc.)

  
wontfix

Codeberg's current set of contributors are not planning to spend time on delegating this issue.

No labels
accessibility
bug
bug
infrastructure
Codeberg
contributions welcome
docs
duplicate
enhancement
infrastructure
legal
licence / ToS
please chill
we are volunteers
public relations
question
question
user support
s/Forgejo
s/Forgejo/migration
s/Pages
s/Weblate
s/Woodpecker
security
service
upstream
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Codeberg/Community#2185
No description provided.