Audit API for parameters that can heavily de-optimize requests

edgi-govdata-archiving / web-monitoring-db

An HTTP API for tracking and annotating changes to a set of web pages.

https://api.monitoring.envirodatagov.org/

GNU General Public License v3.0

17 stars 26 forks source link

Audit API for parameters that can heavily de-optimize requests #1070

Closed Mr0grog closed 1 year ago

Mr0grog commented 1 year ago

We want the API to be publicly readable, and there are a lot of parameters or options that can cause it to have unacceptable performance (e.g. causing full table scans on large tables, causing N+1 queries) if publicly accessible. We need to audit all the controllers and models and either:

Remove non-essential ones
Restrict access to essential ones