Skip to content

Rate-limit df.start() per user to prevent DoS (security D-1, D-2)#142

Open
Copilot wants to merge 3 commits into
mainfrom
copilot/rate-limit-df-start
Open

Rate-limit df.start() per user to prevent DoS (security D-1, D-2)#142
Copilot wants to merge 3 commits into
mainfrom
copilot/rate-limit-df-start

Conversation

Copy link
Copy Markdown

Copilot AI commented May 5, 2026
edited
Loading

df.start() was unconstrained — any user could flood instances, exhausting disk, the worker connection pool, and duroxide history. This adds two complementary per-user quotas enforced before any rows are written or worker capacity consumed. Superusers bypass both checks.

New GUCs (PGC_SUSET — superuser-only at runtime)

GUC Default Meaning
df.max_concurrent_per_user 100 Max pending+running instances per user
df.max_instances_per_user 10000 Max total rows in df.instances per user

0 = unlimited for both.

Enforcement in df_start() (src/dsl.rs)

After identity capture, before insert_nodes() / duroxide enqueue:

// Skip for superusers
if !is_superuser {
    // Concurrency cap
    let active = SELECT count(*) FROM df.instances
                 WHERE submitted_by = $1 AND lower(status) IN ('pending','running');
    if active >= max_concurrent { error!(...) }

    // Lifetime quota
    let total = SELECT count(*) FROM df.instances WHERE submitted_by = $1;
    if total >= max_instances { error!(...) }
}

Error messages include the exact DELETE statement needed to reclaim quota.

Other changes

  • src/lib.rs — GUC statics + _PG_init registration with GucContext::Suset
  • src/types.rsget_max_concurrent_per_user() / get_max_instances_per_user() helpers
  • tests/e2e/sql/22_rate_limit.sql — E2E: cap rejection, slot-free-then-succeed, quota rejection, superuser bypass
  • USER_GUIDE.md — New "Rate Limiting" section with GUC reference, error examples, and quota reclamation instructions

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • example.com
    • Triggering command: postgres: pg_durable_worker (dns block)
  • httpbingo.org
    • Triggering command: postgres: pg_durable_worker (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue May 5, 2026 that may be closed by this pull request
Rate-limit df.start() to prevent DoS (security review D-1, D-2) #139
Open
8 tasks
Copilot AI changed the title [WIP] Add rate limiting to df.start() to prevent DoS Rate-limit df.start() per user to prevent DoS (security D-1, D-2) May 5, 2026
Copilot AI requested a review from pinodeca May 5, 2026 13:28
@pinodeca pinodeca marked this pull request as ready for review May 19, 2026 19:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pinodeca pinodeca Awaiting requested review from pinodeca

At least 1 approving review is required to merge this pull request.

Assignees

@pinodeca pinodeca

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Rate-limit df.start() to prevent DoS (security review D-1, D-2)

2 participants

@pinodeca