Skip to content

Fix DoS vulnerability in batch evaluation endpoint#649

Merged
zhouzhuojie merged 3 commits intoopenflagr:mainfrom
MagicBok:fix/batch-evaluation-dos-limit
Feb 5, 2026
Merged

Fix DoS vulnerability in batch evaluation endpoint#649
zhouzhuojie merged 3 commits intoopenflagr:mainfrom
MagicBok:fix/batch-evaluation-dos-limit

Conversation

@MagicBok
Copy link
Contributor

@MagicBok MagicBok commented Feb 4, 2026
edited
Loading

Add deduplication for flagKeys and flagIDs to prevent resource exhaustion attacks via the /api/v1/evaluation/batch endpoint where attackers could send the same key repeated thousands of times.

Also add optional FLAGR_EVAL_BATCH_SIZE limit (default: 0/disabled) for users who want additional protection against large unique key lists.

Description

Motivation and Context

How Has This Been Tested?

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@MagicBok
Fix DoS vulnerability in batch evaluation endpoint
91dd09a 
Add deduplication for flagKeys and flagIDs to prevent resource exhaustion
attacks via the /api/v1/evaluation/batch endpoint where attackers could
send the same key repeated thousands of times.

Also add optional FLAGR_EVAL_BATCH_SIZE limit (default: 0/disabled) for
users who want additional protection against large unique key lists.
@MagicBok MagicBok force-pushed the fix/batch-evaluation-dos-limit branch from 624f107 to 91dd09a Compare February 4, 2026 02:40
@codecov-commenter
Copy link

codecov-commenter commented Feb 5, 2026
edited
Loading

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 91.30435% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.06%. Comparing base (770461b) to head (19b600e).
⚠️ Report is 20 commits behind head on main.

Files with missing lines Patch % Lines
pkg/handler/eval.go 91.30% 1 Missing and 1 partial ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #649      +/-   ##
==========================================
- Coverage   81.19%   77.06%   -4.14%     
==========================================
  Files          28       30       +2     
  Lines        2271     2023     -248     
==========================================
- Hits         1844     1559     -285     
- Misses        337      373      +36     
- Partials       90       91       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

zhouzhuojie and others added 2 commits February 5, 2026 11:33
@zhouzhuojie
Enhance batch evaluation handling with size limit checks
5e89798 
Added tests to validate behavior when the evaluation batch size limit is exceeded, not exceeded, and disabled. Updated the evaluation logic to ensure proper deduplication of flagKeys and flagIDs, and to enforce the configured batch size limit for evaluations, improving protection against resource exhaustion attacks.
@MagicBok
Merge pull request #1 from zhouzhuojie/fix/batch-evaluation-dos-limit
19b600e 
Enhance batch evaluation handling with size limit checks
@zhouzhuojie zhouzhuojie merged commit 518e726 into openflagr:main Feb 5, 2026
9 checks passed
foxdalas pushed a commit to foxdalas/flagr that referenced this pull request Feb 7, 2026
@MagicBok @zhouzhuojie @foxdalas
Fix DoS vulnerability in batch evaluation endpoint (openflagr#649)
f20bb15 
* Fix DoS vulnerability in batch evaluation endpoint

Add deduplication for flagKeys and flagIDs to prevent resource exhaustion
attacks via the /api/v1/evaluation/batch endpoint where attackers could
send the same key repeated thousands of times.

Also add optional FLAGR_EVAL_BATCH_SIZE limit (default: 0/disabled) for
users who want additional protection against large unique key lists.

* Enhance batch evaluation handling with size limit checks

Added tests to validate behavior when the evaluation batch size limit is exceeded, not exceeded, and disabled. Updated the evaluation logic to ensure proper deduplication of flagKeys and flagIDs, and to enforce the configured batch size limit for evaluations, improving protection against resource exhaustion attacks.

---------

Co-authored-by: zhouzhuojie <zhouzhuojie@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zhouzhuojie zhouzhuojie zhouzhuojie approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MagicBok @codecov-commenter @zhouzhuojie

Comments