Skip to content

hardcode some limits (for now) #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
naps62 merged 9 commits into from
Jan 26, 2026
Merged

hardcode some limits (for now) #75

naps62 merged 9 commits into from
Jan 26, 2026
+73 −22

Conversation

@naps62
Copy link
Member

@naps62 naps62 commented Jan 14, 2026

No description provided.

Copilot AI review requested due to automatic review settings January 14, 2026 14:58
@vercel
Copy link

vercel bot commented Jan 14, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
stacks Ready Ready Preview, Comment Jan 26, 2026 5:16pm

Request Review

Copilot AI reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds hardcoded resource limits to prevent unbounded stack creation in the system. It introduces a per-user limit of 3 stacks and a global limit of 100 stacks across all users.

Changes:

  • Added limit constants and validation functions to check user and global stack counts
  • Refactored create_stack functions to validate limits before insertion
  • Added error handling in the stack controller for limit exceeded scenarios

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
server/lib/ethui/stacks.ex Adds limit constants, count queries, validation functions, and integrates limit checks into stack creation logic
server/lib/ethui_web/controllers/api/stack_controller.ex Adds HTTP error responses (403/503) for user and global limit exceeded scenarios
Comments suppressed due to low confidence (2)

server/lib/ethui/stacks.ex:159

  • The limit checking has a race condition vulnerability. The count is checked separately from the insert operation, which means multiple concurrent requests could pass the limit check before any insertions complete. This could allow the global limit to be exceeded.

Consider wrapping the count check and insert in a database transaction, or using a database constraint to enforce the limit atomically.


  def get_user_stack_by_slug(nil, slug) do
    Repo.get_by(Stack, slug: slug)
    |> Repo.preload(:api_key)
  end

server/lib/ethui/stacks.ex:164

  • The limit checking has a race condition vulnerability. The count is checked separately from the insert operation, which means multiple concurrent requests could pass the limit check before any insertions complete. This could allow users to exceed both the per-user limit and global limit.

Consider wrapping the count check and insert in a database transaction, or using a database constraint to enforce the limits atomically. For example, you could add the count check as part of the Ecto.Multi transaction.

    get_user_stack_by_slug(user_id, slug)
  end

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@naps62 naps62 requested a review from ZePedroResende January 14, 2026 15:42
ZePedroResende
ZePedroResende reviewed Jan 26, 2026
View reviewed changes
@naps62 naps62 merged commit b69cb6f into main Jan 26, 2026
3 checks passed
@naps62 naps62 deleted the limits branch January 26, 2026 18:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ZePedroResende ZePedroResende ZePedroResende approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@naps62 @ZePedroResende