What happened?
Every resource-intensive endpoint in backend/secuscan/routes.py uses a dedicated rate limiter:
@router.post("/task/start", dependencies=[Depends(task_start_limiter)])
@router.get("/task/{task_id}/report/csv", dependencies=[Depends(report_download_limiter)])
@router.get("/dashboard/summary", dependencies=[Depends(read_heavy_limiter)])
@router.get("/vault", dependencies=[Depends(vault_limiter)])The scheduler tick endpoint is the only execution endpoint with no such limiter:
@router.post("/workflows/scheduler/tick")
async def trigger_workflow_tick():
await scheduler.tick() # No rate limiter
return {"tick": "ok"}Steps to Reproduce
- Obtain a valid API key.
- Send
POST /api/v1/workflows/scheduler/tick repeatedly in a tight loop.
- All enabled workflows are triggered on each tick with no throttling.
Expected Behavior
The tick endpoint should be rate-limited to prevent rapid repeated calls from exhausting scan quotas, overloading the task queue, or flooding scan targets.
Actual Behavior
Any API key holder can call the tick endpoint without throttling. This bypasses the intended scheduling interval and can force continuous workflow execution.
Root Cause Analysis
The trigger_workflow_tick function was added without the Depends(...) rate limiter pattern used by every other execution endpoint in the file.
Suggested Fix
Add a rate limiter matching the pattern of other execution endpoints:
@router.post("/workflows/scheduler/tick", dependencies=[Depends(tick_limiter)])
async def trigger_workflow_tick():
await scheduler.tick()
return {"tick": "ok"}A reasonable limit is one tick per 10 seconds per API key to allow legitimate external triggers while preventing runaway execution.
Affected File
backend/secuscan/routes.py
Checklist
What happened?
Every resource-intensive endpoint in
backend/secuscan/routes.pyuses a dedicated rate limiter:The scheduler tick endpoint is the only execution endpoint with no such limiter:
Steps to Reproduce
POST /api/v1/workflows/scheduler/tickrepeatedly in a tight loop.Expected Behavior
The tick endpoint should be rate-limited to prevent rapid repeated calls from exhausting scan quotas, overloading the task queue, or flooding scan targets.
Actual Behavior
Any API key holder can call the tick endpoint without throttling. This bypasses the intended scheduling interval and can force continuous workflow execution.
Root Cause Analysis
The
trigger_workflow_tickfunction was added without theDepends(...)rate limiter pattern used by every other execution endpoint in the file.Suggested Fix
Add a rate limiter matching the pattern of other execution endpoints:
A reasonable limit is one tick per 10 seconds per API key to allow legitimate external triggers while preventing runaway execution.
Affected File
backend/secuscan/routes.pyChecklist