Skip to content

No upper bound on ListSkills page_size #15

Open
Open
No upper bound on ListSkills page_size#15
Labels
securitySecurity vulnerability or hardening
@dcmcand

Description

@dcmcand
dcmcand
opened on Mar 20, 2026

Summary

ListSkills accepts arbitrary page_size with no upper bound enforced server-side. A request with page_size: 2147483647 would attempt to return all rows.

Location

  • backend/internal/store/sqlite/sqlite.go (line 104)

Risk

Resource exhaustion / DoS via unbounded query result sets.

Suggested fix

Cap page_size at a reasonable maximum (e.g., 500) regardless of what the caller requests.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerability or hardening

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions