Correctness: Rate limiter DashMap grows unbounded — no eviction #83

New issue

Open

opened 2026-05-11 13:48:51 +00:00 by thabeta · 0 comments

thabeta commented

2026-05-11 13:48:51 +00:00

Owner

Severity: High

Location

crates/hero_aibroker_lib/src/middleware/ratelimit.rs

Finding

The rate limiter stores a per-IP GovRateLimiter in a DashMap that is never cleaned:

limiters: Arc<DashMap<IpAddr, InnerRateLimiter>>,

Every unique IP that hits the broker gets a new entry that persists for the lifetime of the process.

Impact

Long-running brokers accumulate entries for every unique IP ever seen
Memory grows without bound (each entry ~200+ bytes)
CGNAT / mobile networks can generate thousands of IPs
In a cascade scenario, mother broker sees all child IPs

Recommendation

Implement TTL-based eviction (e.g., remove entries not accessed in 1 hour)
Use dashmap's periodic cleanup or a background task
Cap total entries with LRU eviction

## Severity: High ## Location `crates/hero_aibroker_lib/src/middleware/ratelimit.rs` ## Finding The rate limiter stores a per-IP `GovRateLimiter` in a `DashMap` that is never cleaned: ```rust limiters: Arc<DashMap<IpAddr, InnerRateLimiter>>, ``` Every unique IP that hits the broker gets a new entry that persists for the lifetime of the process. ## Impact - Long-running brokers accumulate entries for every unique IP ever seen - Memory grows without bound (each entry ~200+ bytes) - CGNAT / mobile networks can generate thousands of IPs - In a cascade scenario, mother broker sees all child IPs ## Recommendation - Implement TTL-based eviction (e.g., remove entries not accessed in 1 hour) - Use `dashmap`'s periodic cleanup or a background task - Cap total entries with LRU eviction