Skip to content

feat: add pagination limits to user and item list endpoints#2383

Open
HassanRady wants to merge 1 commit into
fastapi:masterfrom
HassanRady:fix/unbounded-query-pagination
Open

feat: add pagination limits to user and item list endpoints#2383
HassanRady wants to merge 1 commit into
fastapi:masterfrom
HassanRady:fix/unbounded-query-pagination

Conversation

@HassanRady

Copy link
Copy Markdown

Pull Request

Discussion:

Description

Currently, pagination routes accept an arbitrary limit parameter without validation (e.g., limit: int = 100). At scale, a client or malicious user could supply an extremely large limit (e.g., ?limit=1000000).
FastAPI and SQLModel will read all matching records from the database and instantiate them as Python objects in the server's heap memory. This results in:

  1. Out-of-Memory (OOM) Crashes: The container's memory balloons, triggering the kernel OOM-killer and terminating the backend worker.
  2. CPU Starvation: Heavy garbage collection cycles block other concurrent requests on the event loop.

The Remediation Code

Use FastAPI's Query parameter validator to enforce a hard maximum limit (le=100). This rejects invalid requests with a 422 Unprocessable Entity validation error before querying the database.

Checklist

  • This PR links to a GitHub Discussion for the proposed code change.
  • I added tests for the change.
  • [x ] The new or updated tests fail on the main branch and pass on this PR.
  • Coverage stays at 100%.
  • The documentation explains the change if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants