MokoConsulting/MokoSuiteCross
1
0
Fork 0
Code Issues 27 Pull Requests 1 Releases 5 Wiki Activity

security: no rate limiting on AI and social image AJAX endpoints #243

New Issue
Open
opened 2026-06-29 14:23:34 +00:00 by jmiller · 1 comment
jmiller commented 2026-06-29 14:23:34 +00:00
Owner
Copy Link
Copy Source

Description

The AiController::generate() and ImageController::generate() AJAX endpoints have CSRF and ACL checks but no rate limiting. A user with valid CSRF token and edit permissions could:

  1. AiController: Rapidly invoke Claude/OpenAI API calls, accumulating API costs for the site owner
  2. ImageController: Rapidly generate images, consuming CPU/memory on the server (PHP GD processing)

Suggested fix

Add session-based rate limiting:

$session = Factory::getApplication()->getSession();
$key = 'mokosuitecross_ai_last_call';
$lastCall = $session->get($key, 0);
$now = time();

if ($now - $lastCall < 10) {
    echo json_encode(['error' => 'Rate limit exceeded. Please wait before trying again.']);
    $this->app->close();
    return;
}

$session->set($key, $now);

A 10-second cooldown per session would prevent abuse without impacting normal usage.

Impact

  • Severity: Low -- requires authenticated user with valid CSRF, but could cause unexpected API billing
  • Affected files: AiController.php, ImageController.php
## Description The `AiController::generate()` and `ImageController::generate()` AJAX endpoints have CSRF and ACL checks but no rate limiting. A user with valid CSRF token and edit permissions could: 1. **AiController**: Rapidly invoke Claude/OpenAI API calls, accumulating API costs for the site owner 2. **ImageController**: Rapidly generate images, consuming CPU/memory on the server (PHP GD processing) ## Suggested fix Add session-based rate limiting: ```php $session = Factory::getApplication()->getSession(); $key = 'mokosuitecross_ai_last_call'; $lastCall = $session->get($key, 0); $now = time(); if ($now - $lastCall < 10) { echo json_encode(['error' => 'Rate limit exceeded. Please wait before trying again.']); $this->app->close(); return; } $session->set($key, $now); ``` A 10-second cooldown per session would prevent abuse without impacting normal usage. ## Impact - **Severity**: Low -- requires authenticated user with valid CSRF, but could cause unexpected API billing - **Affected files**: `AiController.php`, `ImageController.php`
jmiller commented 2026-06-29 14:23:37 +00:00
Author
Owner
Copy Link
Copy Source

Branch created: feature/243-security-no-rate-limiting-on-ai-and-soci

git fetch origin
git checkout feature/243-security-no-rate-limiting-on-ai-and-soci
Branch created: [`feature/243-security-no-rate-limiting-on-ai-and-soci`](https://git.mokoconsulting.tech/MokoConsulting/MokoSuiteCross/src/branch/feature/243-security-no-rate-limiting-on-ai-and-soci) ```bash git fetch origin git checkout feature/243-security-no-rate-limiting-on-ai-and-soci ```
Sign in to join this conversation.
Labels
No items
No labels
Priority Medium
Type Feature
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoSuiteCross#243
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?