Codeberg/Community

Fork 12

Code Issues 426 Activity

Rate Limit for search endpoints #2185

New issue

Open

opened 2025年10月25日 21:19:43 +02:00 by litetex · 1 comment

litetex commented

2025年10月25日 21:19:43 +02:00

Copy link

Comment

In light of the recent outage I had a look at the rate-limiting configuration and - as far as I can see - there are no stricter rate-limits for search endpoints present.

If I read the configuration correctly it's currently possible to perform 4000 searches within 30 minutes per IP (that's 2.22 searches per second).

That sounds quite risky considering that searches are usually quite expensive to perform.

For example GitHub has implement very hard rate limits on searches when you are not authenticated (Code searches are not allowed at all and other searches are usually capped to ~10 per minute).

### Comment In light of the recent outage I had a look at the [rate-limiting configuration](https://codeberg.org/Codeberg-Infrastructure/scripted-configuration/src/commit/e4aaceeb434a82d2b8c610284006d3d0a3cbe665/hosts/_reverseproxy/etc/caddy/forgejo-prod.site) and - as far as I can see - there are no stricter rate-limits for search endpoints present. If I read the configuration correctly it's currently possible to perform 4000 searches within 30 minutes per IP (that's 2.22 searches per second). That sounds quite risky considering that searches are usually quite expensive to perform. For example GitHub has implement very hard rate limits on searches when you are not authenticated (Code searches are not allowed at all and other searches are usually capped to ~10 per minute).

Gusted commented

2025年10月30日 18:46:57 +01:00

Owner

Copy link

Search is currently not that expensive and it's hidden for larger repositories and only shown if you're logged in:

Codeberg-Infrastructure/forgejo – templates/repo/home.tmpl

Line 178 in Codeberg-Infrastructure/forgejo@1faa2bd

			{{ifand$.IsSigned(le.Repository.Size700000000)}}

We've not yet seen abuse of these endpoints but will keep this in mind if starts becoming a problem.

Search is currently not _that_ expensive and it's hidden for larger repositories and only shown if you're logged in: https://codeberg.org/Codeberg-Infrastructure/forgejo/src/commit/1faa2bdecd683cd416e2acf944a2d8f03a906f16/templates/repo/home.tmpl#L178 We've not yet seen abuse of these endpoints but will keep this in mind if starts becoming a problem.

No Branch/Tag specified

Branches Tags

main

Labels

Clear labels

accessibility

Reduces accessibility and is thus a "bug" for certain user groups on Codeberg.

bug

Something is not working the way it should. Does not concern outages.

bug

infrastructure

Errors evidently caused by infrastructure malfunctions or outages

Codeberg

This issue involves Codeberg's downstream modifications and settings and/or Codeberg's structures.

contributions welcome

Please join the discussion and consider contributing a PR!

docs

No bug, but an improvement to the docs or UI description will help

duplicate

This issue or pull request already exists

enhancement

New feature

infrastructure

Involves changes to the server setups, use `bug/infrastructure` for infrastructure-related user errors.

legal

An issue directly involving legal compliance

licence / ToS

involving questions about the ToS, especially licencing compliance

please chill

we are volunteers

Please consider editing your posts and remember that there is a human on the other side. We get that you are frustrated, but it's harder for us to help you this way.

public relations

question

More information is needed

question

user support

This issue contains a clearly stated problem. However, it is not clear whether we have to fix anything on Codeberg's end, but we're helping them fix it and/or find the cause.

s/Forgejo

s/Forgejo/migration

Migration related issues in Forgejo

s/Pages

s/Weblate

s/Woodpecker

Woodpecker CI related issue

security

involves improvements to the sites security

service

Add a new service to the Codeberg ecosystem (instead of implementing into Gitea)

upstream

An open issue or pull request to an upstream repository to fix this issue (partially or completely) exists (i.e. Gitea, Forgejo, etc.)

wontfix

Codeberg's current set of contributors are not planning to spend time on delegating this issue.

No labels

contributions welcome

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

Codeberg/Community#2185

No description provided.

Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?