[Bug]: get_site_metadata API can be used to DDOS other sites

[anhcuky]

Requirements

• Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support
• Did you check to see if this issue already exists?
• Is this only a single bug? Do not put multiple bugs in one issue.
• Do you agree to follow the rules in our Code of Conduct?
• Is this a backend issue? Use the lemmy-ui repo for UI / frontend issues.

Summary

A simple curl like this can be used to initiate a DDOS:

for i in {1..100}; do
  curl "https://${instance}/api/v3/post/site_metadata?url=${url} -H 'Authorization: Bearer ${token}" &
done

Version

BE: 0.19.8

[Nothing4You]

either you are testing against a different lemmy version than you claim or you are omitting something in your minimal example.
this api is no longer available without an authenticated user since 0.19.6.

once authenticated, it'd be a reflected DoS, not DDoS when used through a single instance.
this is covered under the message rate limit, although the limit is up to instance configuration, and due to this being shared with various other resources it may be quite high.
this also shouldn't amplify the amount of requests, as there should only be a single outbound request per user request, which means that this will at best act as a relay to obscure the original source IP.

[anhcuky]

@Nothing4You Yes it need to be authenticated.

The point is that someone can use curl to make the backend send thousands of requests to a random website. If that site has some kind of rate limiting, it'll block backend's IP, which affects everyone on Lemmy, not just the attacker

[dessalines]

We could add a more strict rate limit to it, that seems simple enough.

The default message rate limit is 180 / 60 seconds post and comment are 6 / 600 seconds, search is 60 / 600 seconds.

Seems like the search rate limit would work fine. What do you think @Nothing4You ?