Re: [PR] [SYNCOPE-1976] Add configurable REST rate limiting [syncope]

Mon, 15 Jun 2026 06:42:32 -0700 


github-advanced-security[bot] commented on code in PR #1420:
URL: https://github.com/apache/syncope/pull/1420#discussion_r3413910776


##########
core/idrepo/rest-cxf/src/main/java/org/apache/syncope/core/rest/cxf/RESTProperties.java:
##########
@@ -18,17 +18,92 @@
  */
 package org.apache.syncope.core.rest.cxf;
 
+import java.time.Duration;
+import java.util.HashSet;
+import java.util.Set;
 import org.apache.syncope.core.provisioning.java.ExecutorProperties;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.boot.context.properties.NestedConfigurationProperty;
 
 @ConfigurationProperties("rest")
 public class RESTProperties {
 
+    public static class RateLimitProperties {
+
+        private boolean enabled;
+
+        private int maxRequests = 300;
+
+        private Duration window = Duration.ofMinutes(1);
+
+        private Duration lock = Duration.ofMinutes(1);
+
+        private String forwardedForHeader = "X-Forwarded-For";
+
+        private final Set<String> excludedAddresses = new HashSet<>();
+
+        private final Set<String> trustedProxies = new HashSet<>();
+
+        public boolean isEnabled() {
+            return enabled;
+        }
+
+        public void setEnabled(final boolean enabled) {
+            this.enabled = enabled;
+        }
+
+        public int getMaxRequests() {
+            return maxRequests;
+        }
+
+        public void setMaxRequests(final int maxRequests) {
+            this.maxRequests = maxRequests;
+        }
+
+        public Duration getWindow() {
+            return window;
+        }
+
+        public void setWindow(final Duration window) {
+            this.window = window;
+        }
+
+        public Duration getLock() {
+            return lock;
+        }
+
+        public void setLock(final Duration lock) {
+            this.lock = lock;
+        }
+
+        public String getForwardedForHeader() {
+            return forwardedForHeader;
+        }
+
+        public void setForwardedForHeader(final String forwardedForHeader) {
+            this.forwardedForHeader = forwardedForHeader;
+        }
+
+        public Set<String> getExcludedAddresses() {
+            return excludedAddresses;
+        }
+
+        public Set<String> getTrustedProxies() {

Review Comment:
   ## CodeQL / Exposing internal representation
   
   getTrustedProxies exposes the internal representation stored in field 
trustedProxies. The value may be modified [after this call to 
getTrustedProxies](1).
   
   [Show more 
details](https://github.com/apache/syncope/security/code-scanning/2646)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to