membphis commented on PR #13573:
URL: https://github.com/apache/apisix/pull/13573#issuecomment-4767152110

   This looks incomplete for `rules` mode.
   
   The new `resolve_var()` validation correctly rejects zero, negative, 
fractional, and out-of-range `count` / `time_window` values, but `get_rules()` 
still treats errors from `rule.count` and `rule.time_window` as “skip this 
rule”.
   
   As a result, when `count` or `time_window` is resolved from a 
client-controlled variable, an invalid value can silently disable that rule 
instead of rejecting the request. This leaves `limit-count-advanced` / 
rules-based configurations uncovered by the fix.
   
   Could we return the validation error for `count` / `time_window` here, and 
only skip the rule when the rule key itself does not resolve?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to