BloodHound icon indicating copy to clipboard operation
BloodHound copied to clipboard
verified publisher icon SpecterOps

Bug: API doesn't respect memory limit with PG backend

Open 0xd6cb6d73 opened this issue 1 month ago • 1 comments

Description:

The API doesn't respect global memory limit with a PG backend. This leads to incomplete results for objects with large controllers and controllables metrics.

Are you intending to fix this bug?

No

Component(s) Affected:

  • API
  • GUI

Steps to Reproduce:

  1. Ingest a large enough Entra ID dataset into a PG backend
  2. Configure BHCE with a 0 (unlimited) graph query memory limit through bhe_graph_query_memory_limit=0
  3. request /api/v2/azure/tenants?object_id={AZ_TENANT_ID}
  4. See HTTP 500 error: "db error: graph query required more memory than allowed - Limit: 1024.00 MB - Memory In-Use: XXXX MB"
  5. request /api/v2/azure/tenants?object_id={AZ_TENANT_ID}&type=list&limit=1000&related_entity_type=descendent-az-users
  6. See HTTP 500 error: "calculating the request results exceeded memory limitations due to the volume of objects involved"

Expected Behavior:

I expect the query to return the tenant object in the first case, and a list of AZUser objects in the second.

Actual Behavior:

The query runs out of memory, even though the application is configured not to have a memory limit. The memory limit doesn't seem to be related to the application's default value (2G).

Screenshots/Code Snippets/Sample Files:

The error hit in the second case (descendant object access) is here: https://github.com/SpecterOps/BloodHound/blob/main/cmd/api/src/api/v2/azure.go#L331

Environment Information:

BloodHound: v8.3.1

Go (if API related): 1.24.4

Additional Information:

The same error is emitted when selecting the tenant object in the GUI. This visually manifests with a red exclamation mark instead of the descendant object count. The app consumes a lot of memory while the tenant object remains selected in the GUI. Memory consumption on the DB side stays rather low.

It is possible to return AZUser nodes through cypher using a tenantid filter.

Related Issues:

None I could find.

Contributor Checklist:

  • [x] I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
  • [x] I have provided clear steps to reproduce the issue.
  • [x] I have included relevant environment information details.

0xd6cb6d73 avatar Nov 18 '25 16:11 0xd6cb6d73