Skip to content

GetEventsStream limit query parameter has no upper bound cap allowing billions of events to be requested #7046

Closed
#7069
Closed
GetEventsStream limit query parameter has no upper bound cap allowing billions of events to be requested#7046
#7069
Labels
ai-fix-requestedai-processingAI is currently processing this issuekind/bugCategorizes issue or PR as related to a bug.triage/acceptedIndicates an issue or PR is ready to be actively worked on.triage/neededNeeds triage
@aashu2006

Description

@aashu2006
aashu2006
opened on Apr 12, 2026

User Request

Type: bug
Target: Console Application
Submitted by: @aashu2006
Console Request ID: d7dc6175-4262-4366-8152-f1d302649c12

Description

What happened:
In pkg/api/handlers/sse.go:641, limit is parsed with c.QueryInt and no upper bound cap, then passed directly to h.k8sClient.GetEvents. GetWarningEventsStream correctly uses parseWarningEventsLimit which clamps to 500. A caller can request ?limit=2147483647 causing each cluster goroutine to attempt fetching billions of events.

What I expected:
GetEventsStream should use the same parseWarningEventsLimit pattern or apply an equivalent inline clamp before passing to the fetch function.

Steps to reproduce:

  1. Call GET /mcp/events/stream?limit=2147483647
  2. Observe each cluster goroutine attempts to fetch billions of events

This issue was automatically created from the KubeStellar Console.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ai-fix-requestedai-processingAI is currently processing this issuekind/bugCategorizes issue or PR as related to a bug.triage/acceptedIndicates an issue or PR is ready to be actively worked on.triage/neededNeeds triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions