zzstoatzz.io / plyr.fm
music on atproto plyr.fm
fork atom

fix: add rate limit to /moderation/sensitive-images endpoint (#629)

Detected suspicious activity: 72 requests in 17 seconds from a single IP
with no user agent, targeting only this endpoint. Added 10/minute rate
limit to prevent abuse.

Investigation details:
- Single IP (172.16.17.202 via Fly proxy) hitting endpoint repeatedly
- Requests spaced ~230ms apart (too consistent for human browsing)
- No corresponding user activity (page loads, audio streams)
- All requests had no User-Agent header

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

authored by zzstoatzz.io Claude Opus 4.5 and committed by GitHub f763c35f c232a6e8

options
unified split
Changed files
+4 -1
backend
src
backend
api
moderation.py
+4 -1
backend/src/backend/api/moderation.py
··· 2 2 3 3 from typing import Annotated 4 4 5 - from fastapi import APIRouter, Depends 5 + from fastapi import APIRouter, Depends, Request 6 6 from pydantic import BaseModel 7 7 from sqlalchemy import select 8 8 from sqlalchemy.ext.asyncio import AsyncSession 9 9 10 10 from backend.models import SensitiveImage, get_db 11 + from backend.utilities.rate_limit import limiter 11 12 12 13 router = APIRouter(prefix="/moderation", tags=["moderation"]) 13 14 ··· 22 23 23 24 24 25 @router.get("/sensitive-images") 26 + @limiter.limit("10/minute") 25 27 async def get_sensitive_images( 28 + request: Request, 26 29 db: Annotated[AsyncSession, Depends(get_db)], 27 30 ) -> SensitiveImagesResponse: 28 31 """get all flagged sensitive images.