Next step: Evaluate this item to determine if it's worth fixing. Or approve directly if you already know what needs to be done.

Location

Description

routes.py has no rate limiting on expensive endpoints like /resources/{id}/discover (line 138) and /resources/{id}/health-check (line 164). An attacker with a valid API key can: (1) Spam discovery runs consuming LLM tokens/credits, (2) Exhaust SSH connections to monitored servers, (3) Fill the database with run records, (4) Cause scheduler starvation by creating many PENDING runs. Since background tasks aren't tracked (see finding #1), there's no limit on concurrent operations. The API also has no pagination limits - /reports endpoint (line 219) allows limit up to any integer, enabling memory exhaustion attacks. Should add per-key rate limiting (e.g., slowapi) and enforce max limit values.

Click "Evaluate with Claude Code" to have an agent analyze this item.

Actions