fix: bound public rate-limit memory and clarify threat model

PttCodingMan · claude · PttCodingMan · commit d4ea59df9011 · 2026-04-26T21:32:05.000+08:00
The per-IP sliding-window dict had no eviction: an IP that hit the
endpoint once and never returned left a stale bucket forever, and an
IP-rotating scraper could leak memory linearly. Add a 10k-entry cap
with true LRU eviction (pop+reinsert on touch so the dict's insertion
order tracks recency, then drop from the front when over the cap).

Also rewrite the comment to be honest about what the limiter is and
isn't: gentle DoS / scrape protection on a public-by-definition
endpoint, not a security boundary. Counters reset on process restart;
that's acceptable for a self-hosted small-team wiki.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/backend/app/routers/public.py b/backend/app/routers/public.py
@@ -18,20 +18,39 @@
 _HTML_COMMENT_RE = re.compile(r"<!--[\s\S]*?-->")
 
 # In-memory rate limit: 60 requests per IP per 60 seconds.
-# Single-process only — see to-do Known Limitations.
+#
+# Threat model: gentle DoS / scrape protection on a public-by-definition
+# endpoint, not a security boundary. The counter is per-process and resets
+# on restart; an attacker who can rotate IPs (or trigger restarts) gets
+# fresh budget. Acceptable for a self-hosted small-team wiki.
+#
+# Memory: empty buckets are dropped after the prune so a one-off visitor
+# doesn't leave a permanent entry; if the dict still grows past _MAX_IPS
+# we drop the oldest-touched entries. Without this, an IP-rotating scraper
+# would leak memory linearly.
 _access_log: dict[str, list[float]] = defaultdict(list)
 _RATE_LIMIT_MAX = 60
 _RATE_LIMIT_WINDOW = 60  # seconds
+_MAX_IPS = 10_000
 
 
 def _check_rate_limit(ip: str):
     now = time.monotonic()
-    log = _access_log[ip]
+    # pop+reinsert so the dict's insertion order tracks recency — the
+    # eviction step below can then drop true LRU entries.
+    log = _access_log.pop(ip, [])
     pruned = [t for t in log if now - t < _RATE_LIMIT_WINDOW]
-    _access_log[ip] = pruned
     if len(pruned) >= _RATE_LIMIT_MAX:
+        _access_log[ip] = pruned
         raise HTTPException(status_code=429, detail="Too many requests")
     pruned.append(now)
+    _access_log[ip] = pruned
+
+    if len(_access_log) > _MAX_IPS:
+        # Cap memory against IP-rotating scrapers. Drop oldest-touched
+        # entries first; cheap one-shot pop loop only when we hit the cap.
+        for stale in list(_access_log)[: len(_access_log) - _MAX_IPS]:
+            _access_log.pop(stale, None)
 
 
 @router.get("/pages/{slug}")
