Skip to content

P1 findings: Remi Server (rate limiter DoS, prefix match, OOM, header injection, LIKE injection) #19

New issue
New issue
Open
Open
P1 findings: Remi Server (rate limiter DoS, prefix match, OOM, header injection, LIKE injection)#19
Labels
P1-importantImportant severitybugSomething isn't working
@TusanHomichi

Description

@TusanHomichi
TusanHomichi
opened on Mar 6, 2026

Summary

Multiple P1-level issues found in the Remi server.

Findings

1. Rate limiter memory DoS

  • Location: conary-server/src/server/
  • Issue: Per-IP rate limiter state grows unbounded. Attacker can exhaust memory by rotating source IPs.
  • Fix: Add LRU eviction or fixed-size rate limiter state.

2. Route prefix matching

  • Location: conary-server/src/server/
  • Issue: Route matching uses prefix comparison, allowing /v1/admin to match /v1/adminstuff.
  • Fix: Use exact path segment matching.

3. Unbounded request body (OOM)

  • Location: conary-server/src/server/
  • Issue: Some endpoints don't limit request body size, allowing OOM via large uploads.
  • Fix: Set Content-Length limits on all endpoints.

4. Header injection

  • Location: conary-server/src/server/
  • Issue: User input reflected in HTTP response headers without sanitization.
  • Fix: Sanitize or reject header values containing newlines.

5. LIKE injection in search

  • Location: conary-server/src/server/
  • Issue: Search terms passed to SQL LIKE without escaping % and _ wildcards.
  • Fix: Escape LIKE special characters in user input.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P1-importantImportant severitybugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions