Skip to content

[CRITICAL] API contributors route has no rate limiting - DoS vulnerability #18

Description

@saidai-bhuvanesh

⚠️ Performance: No Rate Limiting on GitHub API Calls

Severity: High
File: src/app/api/contributors/route.js

Problem

Every request hits GitHub API without rate limiting:

const [pullsRes, commitsRes] = await Promise.all([
  fetch("https://api.github.com/repos/.../pulls?...", { cache: "no-store" }),
  fetch("https://api.github.com/repos/.../commits?...", { cache: "no-store" })
]);

Issues

  1. No caching: cache: no-store means every request hits GitHub
  2. No rate limiting: Can trigger GitHub API rate limits (60 req/hr for unauth)
  3. DoS potential: Single user can exhaust API quota

Fix Required

// Add caching
const res = await fetch(url, { 
  next: { revalidate: 300 } // Cache for 5 minutes
});

// Add rate limiting header check
const rateLimit = res.headers.get("x-ratelimit-remaining");
if (rateLimit && parseInt(rateLimit) < 10) {
  return NextResponse.json({ error: "Rate limited" }, { status: 429 });
}

Labels: bug, ssoc26

Metadata

Metadata

Labels

enhancementNew feature or requestgood first issueGood for newcomersssoc26Main tag identifying the repository for Social Summer of Code 2026

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions