Skip to content

Initial attempt at restricting endpoints#2877

Draft
JR40159 wants to merge 5 commits intomainfrom
dev/restrict-api-by-entry-kind
Draft

Initial attempt at restricting endpoints#2877
JR40159 wants to merge 5 commits intomainfrom
dev/restrict-api-by-entry-kind

Conversation

@JR40159
Copy link
Copy Markdown
Member

@JR40159 JR40159 commented Nov 4, 2025

No description provided.

GB907762
GB907762 reviewed Nov 12, 2025
View reviewed changes
backend/src/routes/v2/routes.ts Outdated
{ url: match('/permissions/mine'), method: ['GET'] },
],
},
mirroredModel: { allowAll: true },
Copy link
Copy Markdown
Member

@GB907762 GB907762 Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's already quite a few checks to block endpoints on mirrored models. Is this meant to be a replacement for that functionality?

backend/src/routes/middleware/entryType.ts
) {
return next()
}
throw BadReq('Deny')
Copy link
Copy Markdown
Member

@GB907762 GB907762 Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we give the user the EntryKind as context?

@github-actions github-actions bot added javascript Pull requests that update Javascript code backend Changes affecting server-side logic, APIs, data processing, or internal services. labels Mar 13, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 13, 2026
View reviewed changes
backend/src/routes/v2/routes.ts
router.use('/model/:modelId', entryKindCheck(entryAllowList))

// Needs to be applied after authentication middleware as it requires the user details
router.use('/api/v2/models', escalateUser)

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
authorization
Loading
, but is not rate-limited.

Copilot Autofix

AI 20 days ago

In general, the problem is fixed by adding a rate-limiting middleware in front of the sensitive route(s) (here, the /api/v2/models subtree) so that each client can only trigger the protected logic (including escalateUser and the model handlers) at a controlled rate. A standard solution in Express is to use express-rate-limit to define a limiter and apply it with router.use() before the expensive or security-sensitive middlewares.

For this specific file, the minimal change that doesn’t alter existing behavior is:

  • Import express-rate-limit.
  • Create a limiter configured with reasonable defaults (e.g., 100 requests per 15 minutes per IP; these values can be tuned later but provide a baseline).
  • Apply this limiter to the same route prefix as escalateUser and place it immediately before escalateUser so that rate limiting happens first, and only then does the app perform the authorization escalation.

Concretely:

  • In backend/src/routes/v2/routes.ts, add import rateLimit from 'express-rate-limit' alongside the other imports.
  • Define const modelsRateLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }) somewhere near the router initialization.
  • Change the middleware chain around line 126 so that router.use('/api/v2/models', modelsRateLimiter, escalateUser) is used instead of only escalateUser.

This keeps the existing route structure and handlers intact while adding a protective layer against request floods.

Suggested changeset 2
backend/src/routes/v2/routes.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/backend/src/routes/v2/routes.ts b/backend/src/routes/v2/routes.ts
--- a/backend/src/routes/v2/routes.ts
+++ b/backend/src/routes/v2/routes.ts
@@ -5,6 +5,7 @@
 import { AllowList, entryKindCheck } from '../middleware/entryType.js'
 import { expressErrorHandler } from '../middleware/expressErrorHandler.js'
 import { escalateUser } from '../middleware/userEscalation.js'
+import rateLimit from 'express-rate-limit'
 import { getArtefactScanningInfo } from './artefactScanning/getArtefactScanningInfo.js'
 import { putFileScan } from './artefactScanning/putFileScan.js'
 import { getCurrentUser } from './entities/getCurrentUser.js'
@@ -92,6 +93,11 @@
 
 const router = Router()
 
+const modelsRateLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // limit each IP to 100 requests per windowMs
+})
+
 const entryAllowList: {
   model: AllowList
   'data-card': AllowList
@@ -123,7 +129,7 @@
 router.use('/model/:modelId', entryKindCheck(entryAllowList))
 
 // Needs to be applied after authentication middleware as it requires the user details
-router.use('/api/v2/models', escalateUser)
+router.use('/api/v2/models', modelsRateLimiter, escalateUser)
 
 router.get('/system/status', ...getSystemStatus)
 router.get('/system/peers', ...getPeerStatus)
EOF
@@ -5,6 +5,7 @@
import { AllowList, entryKindCheck } from '../middleware/entryType.js'
import { expressErrorHandler } from '../middleware/expressErrorHandler.js'
import { escalateUser } from '../middleware/userEscalation.js'
import rateLimit from 'express-rate-limit'
import { getArtefactScanningInfo } from './artefactScanning/getArtefactScanningInfo.js'
import { putFileScan } from './artefactScanning/putFileScan.js'
import { getCurrentUser } from './entities/getCurrentUser.js'
@@ -92,6 +93,11 @@

const router = Router()

const modelsRateLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP to 100 requests per windowMs
})

const entryAllowList: {
model: AllowList
'data-card': AllowList
@@ -123,7 +129,7 @@
router.use('/model/:modelId', entryKindCheck(entryAllowList))

// Needs to be applied after authentication middleware as it requires the user details
router.use('/api/v2/models', escalateUser)
router.use('/api/v2/models', modelsRateLimiter, escalateUser)

router.get('/system/status', ...getSystemStatus)
router.get('/system/peers', ...getPeerStatus)
backend/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/backend/package.json b/backend/package.json
--- a/backend/package.json
+++ b/backend/package.json
@@ -80,7 +80,8 @@
     "uuid": "^13.0.0",
     "yargs": "^18.0.0",
     "zod": "^3.25.67",
-    "zod-error": "^1.5.0"
+    "zod-error": "^1.5.0",
+    "express-rate-limit": "^8.3.1"
   },
   "devDependencies": {
     "@anatine/zod-mock": "^3.14.0",
EOF
@@ -80,7 +80,8 @@
"uuid": "^13.0.0",
"yargs": "^18.0.0",
"zod": "^3.25.67",
"zod-error": "^1.5.0"
"zod-error": "^1.5.0",
"express-rate-limit": "^8.3.1"
},
"devDependencies": {
"@anatine/zod-mock": "^3.14.0",
This fix introduces these dependencies
Package Version Security advisories
express-rate-limit (npm) 8.3.1 None
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GB907762 GB907762 GB907762 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

backend Changes affecting server-side logic, APIs, data processing, or internal services. javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JR40159 @github-advanced-security @GB907762