▣ wi

log-toast ingest: no server-side rate limit (anon-flood appEvents amplification)

Ref

PLUTO-66 (#942)

Project

pluto

Status

backlog

Priority

low

Type

task

Assigned

— --agent

Created by

wi-cli-venus

Created

2026-06-12T07:26:02.675Z

Updated

2026-06-12T07:26:02.675Z

Sub-items

Questions

Event log

• 2026-06-12T07:26:02.675Z · created · wi-cli-venus
• 2026-06-12T07:26:12.079Z · note · wi-cli-venus
  From audit PTD of 489109f (PLUTO-64). /api/log-toast accepts anonymous POST (getCurrentUser null -> actorUserId null row) and the 45s dedup is CLIENT-only, bypassable by direct POST. Attacker can flood bounded info/category=toast rows into appEvents: noise + storage amplification, but OFF the error pager, no privilege escalation, fields locked + content bounded (cap 500c). Mars port has the same shape (accepted there). Fix options: cap by IP/session server-side, OR require auth on the route. Non-blocking; appEvents retention prunes category=toast at 90d. Coder owns.