Issue Description
During a security review of our customized Discourse deployment, we discovered a potential resource exhaustion risk related to the file upload API.
Details
-
Upload API: /uploads.json
-
Issue: There is no apparent rate limiting on this endpoint. Any authenticated user can rapidly upload large numbers of files.
-
Reproduction:
-
By automating requests, a user can send thousands of upload requests in a short time.
-
We verified that after sending thousands of upload requests, the storage directory contains thousands of files.
-
Security/Resource Impact
-
Attackers or even normal users could exhaust server storage, degrade performance, or trigger operational issues by uploading massive numbers of files.
-
This could potentially be abused for denial-of-service or to increase storage costs unexpectedly.
Questions
-
Is there any built-in rate limiting or abuse prevention for the /uploads.json endpoint in Discourse?
-
Are there recommended settings or plugins to restrict user upload frequency or total storage usage per user?
-
Are there best practices to prevent resource exhaustion caused by file uploads in Discourse deployments?
Thank you for your attention and advice!