Skip to content

feat: rate-limit folder virus scans#103

Merged
DenizAltunkapan merged 1 commit into
Vault-Web:mainfrom
arnabnandy7:security/scan-endpoint-rate-limit
Jul 18, 2026
Merged

feat: rate-limit folder virus scans#103
DenizAltunkapan merged 1 commit into
Vault-Web:mainfrom
arnabnandy7:security/scan-endpoint-rate-limit

Conversation

@arnabnandy7

Copy link
Copy Markdown
Contributor

Summary

  • Added a dedicated SCAN rate-limit category.
  • Rate-limited POST /api/files/scan per authenticated user, falling back to client IP.
  • Defaulted the limit to one scan start every five minutes.
  • Kept GET /api/files/scan/{jobId} polling outside the scan budget.
  • Preserved non-positive capacity as the way to disable the limit.
  • Added configuration documentation and tests for limiting, polling, disabled capacity, and defaults.

Linked issue

Closes #97

How to test

cd backend
./mvnw spotless:check test

Expected result: all formatting checks pass and the test suite completes successfully.

Manual verification:

  1. Call POST /api/files/scan; expect 202 Accepted.
  2. Call it again as the same user within five minutes; expect 429 Too Many Requests.
  3. Poll GET /api/files/scan/{jobId}; expect polling to remain available.
  4. Set cloudpage.rate-limit.per-client.scan.capacity=0 and verify repeated scan starts are not rate-limited.

Notes / Risk

  • No database migrations are required.
  • Default configuration allows one scan start per user/IP every five minutes.
  • Operators can override the capacity and refill period through application properties or environment variables.
  • Existing upload, download, and listing rate limits are unchanged.

Signed-off-by: Arnab Nandy <arnab_nandy7@yahoo.com>

@DenizAltunkapan DenizAltunkapan left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arnabnandy7 thank you for your contirbution, looks very good!

@DenizAltunkapan
DenizAltunkapan merged commit 75cb7ed into Vault-Web:main Jul 18, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature]: Rate-limit the folder virus scan endpoint

2 participants