MISP icon indicating copy to clipboard operation
MISP copied to clipboard
verified publisher icon MISP

Feature Request: Create a feature to set default rest queries by default if not set (like for `limit`)

Open adulau opened this issue 8 months ago • 4 comments

Is your feature request related to a problem? Please describe.

As you know we have the issue if there is no limit set, a request can kill a instance to get all data. To not impact existing MISP user, we propose to create a setting to set the default limit (maybe some other parameters) to avoid dangerous queries if the parameter is not set.

Describe the solution you'd like

It should be a parameter in the settings to allow user or site admin to have a default limit in the MISP instance.

As it's just a setting, it won't impact the existing users.

Describe alternatives you've considered

No response

Additional context

No response

Code of Conduct

  • [x] I agree to follow this project's Code of Conduct

adulau avatar Apr 21 '25 12:04 adulau

Good idea.

Might be helpful, since the server cannot kill long running backend database queries, if there was a documented suggestion for folks to consider configuring a method for the database to kill these processes ( g.g. creating a MySQL watchdog event -- example below)

We see cases where the client initiating an extremely long running request unknowing of the impact, who may even no longer be there (disconnected for example due to max_execution_time in PHP or httpd), can trigger an unintentional MISP DoS.

Suggertion from ChatGPT:

CREATE EVENT kill_long_queries
ON SCHEDULE EVERY 10 MINUTE -- Runs every 10 minutes
DO
BEGIN
    DECLARE done INT DEFAULT FALSE;
    DECLARE process_id INT;
    DECLARE cur CURSOR FOR 
        SELECT ID FROM information_schema.PROCESSLIST 
        WHERE TIME > 21600 AND USER <> 'root'; -- 21600 seconds = 6 hours
    
    DECLARE CONTINUE HANDLER FOR NOT FOUND SET done = TRUE;
 
    OPEN cur;
    read_loop: LOOP
        FETCH cur INTO process_id;
        IF done THEN
            LEAVE read_loop;
        END IF;
        SET @query = CONCAT('KILL ', process_id);
        PREPARE stmt FROM @query;
        EXECUTE stmt;
        DEALLOCATE PREPARE stmt;
    END LOOP;
 
    CLOSE cur;
END;

github-germ avatar Apr 21 '25 14:04 github-germ

Could this be implemented as part of the role permissions? Similar as how you now set memory limits (Role.memory_limit)?

cudeso avatar Apr 22 '25 12:04 cudeso

+1 this, we're struggling operating an ISAC and trying to get everyone who hits our APIs to enforce limits on their requests is an impossible task.

Byhird avatar Oct 14 '25 22:10 Byhird

We have already the feature as a role but it seems we have a bug. @iglocska will have a look.

Image

adulau avatar Oct 15 '25 06:10 adulau