Page MenuHomeSoftware Heritage

Define and implement an anti-DoS policy for graph visits using the max_edges parameter
Closed, MigratedEdits Locked


In order to allow public access to the graph API, we need to prevent external users to DoS the graph service with resource intensive queries. For that, the graph API supports (or will support once T3161 is deployed) a max_edges parameter to limit the number of edges traversed by the graph.

By default, the max_edges parameter is set at 0 (no limit) in the graph service. The Web API should enforce stricter limits when proxying the requests to the graph service.

I think it makes sense to define three different policies for max_edges:

  • One for internal staff users (unlimited?)
  • One for logged in users (100000 edges/query?)
  • One for external users (1000 edges/query?)

For reference, a big repository like CPython has an order of magnitude of around a few million edges.

Event Timeline

seirl triaged this task as High priority.Jan 7 2022, 5:12 PM
seirl created this task.

Anti-DoS policy has been implemented and deployed. The max_edges thresholds can be easily changed by configuration.

Once final thresholds defined, we should document them in the graph endpoint documentation.