fix: fail closed for unknown rate limit operations#1451
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughThe changes centralize SafeDeletion memory ID validation and make unknown rate-limit operations fail closed, translating configuration errors into HTTP 500 responses. New tests cover both behaviors and preserve known-operation behavior. ChangesValidation and rate-limit hardening
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
memanto/app/utils/rate_limiting.py (1)
77-86: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winLog misconfiguration errors for operational visibility.
The 429 rate-limit path logs via
MemantoLogger.log_request, but the new 500 misconfiguration path does not log anything. Arate_limit_misconfiguredevent is a serious operational issue that should be visible in logs for alerting and debugging.♻️ Proposed refactor: add logging to the 500 path
try: allowed, retry_after = self.check_rate_limit(operation, agent_id) except ValueError as exc: + from memanto.app.utils.logging import MemantoLogger + + MemantoLogger.log_request( + request_id="rate_limit", + route=f"/{operation}", + method="POST", + status_code=500, + latency_ms=0, + agent_id=agent_id, + errors=["rate_limit_misconfigured"], + ) raise HTTPException( status_code=500, detail={ "error": "rate_limit_misconfigured", "message": str(exc), }, + from exc, )🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@memanto/app/utils/rate_limiting.py` around lines 77 - 86, Update the ValueError handler around check_rate_limit in the rate-limiting flow to log the rate_limit_misconfigured event through MemantoLogger.log_request before raising HTTPException. Include the relevant operation, agent_id, and exception details while preserving the existing 500 response payload.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@memanto/app/utils/rate_limiting.py`:
- Around line 77-86: Update the ValueError handler around check_rate_limit in
the rate-limiting flow to log the rate_limit_misconfigured event through
MemantoLogger.log_request before raising HTTPException. Include the relevant
operation, agent_id, and exception details while preserving the existing 500
response payload.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 1f5a16b1-0eb9-4741-82aa-bd1eda093329
📒 Files selected for processing (3)
memanto/app/legacy/safe_deletion.pymemanto/app/utils/rate_limiting.pytests/test_rate_limit_validation.py
Summary
RateLimiterreceives an unknown operation instead of silently allowing the requestrate_limit_misconfiguredresponse from enforcement paths so misconfigured wrappers are visibleis_valid_memory_idhelper in legacySafeDeletionso deletion validation matches the rest of the codebaseBounty context
Addresses the rate limiter fail-open and memory ID validation inconsistency reported in #1438.
Related to the Memanto Bug & Exploit Challenge #770.
I intentionally did not narrow
SourceType = strin this PR because the public API currently accepts custom source identifiers for agents/tools. That should be handled as a separate compatibility decision if maintainers want a stricter source enum.Validation
python -m pytest tests\test_rate_limit_validation.py -qpython -m pytest tests\test_unit.py::TestMemoryWriteServiceDelete -qpython -m ruff check memanto\app\utils\rate_limiting.py memanto\app\legacy\safe_deletion.py tests\test_rate_limit_validation.pygit diff --check(passes; Git only warned about LF->CRLF on this Windows checkout)Summary by CodeRabbit
Bug Fixes
error: rate_limit_misconfigured.Tests