Lukas
60d9c5b340
- Add regex validation utility for query strings - Update filter_config_service to use regex validation - Add comprehensive test coverage for regex validator - Update exception handling for validation errors - Update documentation for tasks Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
3.8 KiB
[MEDIUM] Input validation missing for regex patterns (ReDoS)
Where found
backend/app/routers/config.py— regex validation accepts arbitrary patterns without timeout
Why this is needed
Malicious regex causes catastrophic backtracking (ReDoS). Attacker sends pattern → compilation hangs → DoS.
Goal
Add timeout and complexity limits to regex validation.
What to do
- Add timeout to regex compilation (2 seconds recommended)
- Add length limit (reject patterns > 1000 characters)
- Use
signal.alarm()(Unix) or timeout library
Possible traps and issues
signal.alarm()Unix-only- Some valid complex regexes may timeout
- Frontend should also validate (defense in depth)
Docs changes needed
- Update API docs to document regex validation limits
Doc references
backend/app/routers/config.py
[MEDIUM] No structured logging to external system
Where found
- Logs only go to stdout/file, no external aggregation
Why this is needed
Can't search across instances, historical logs lost on instance recycle.
Goal
Ship logs to centralized logging platform.
What to do
- Short-term: Ensure
structlogJSON output is valid (already done) - Long-term: Ship to logging platform (ELK, Datadog, Papertrail)
Possible traps and issues
- External logging adds latency
- Sensitive data must not be logged
- Log volume can be massive
Docs changes needed
- Add
Docs/Observability.mdsection on logging
Doc references
Docs/Observability.md(new)
[MEDIUM] No Application Performance Monitoring (APM)
Where found
- Backend: no metrics collection, latency tracking
- Frontend: no error tracking, performance metrics
- No observability into request performance
Why this is needed
Without metrics, blind in production: API slow? Unknown. Which endpoints fail most? Unknown.
Goal
Add comprehensive metrics collection and monitoring.
What to do
-
Backend metrics:
- Add Prometheus metrics: request count, latency, active requests
- Expose
/metricsendpoint
-
Frontend metrics:
- Page load time, FCP, LCP using
web-vitals - API error rates and latencies
- Page load time, FCP, LCP using
-
Aggregation:
- Prometheus + Grafana, or Datadog/NewRelic
Possible traps and issues
- Metrics collection has performance cost
- Cardinality explosion with tags
- PII in metrics
Docs changes needed
- Add
Docs/Observability.md
Doc references
Docs/Observability.md(new)
[LOW] Frontend charts not memoized
Where found
frontend/src/components/TopCountriesPieChart.tsxfrontend/src/components/TopCountriesBarChart.tsx
Why this is needed
Charts re-render on every parent update, Recharts reprocesses 5000+ points.
Goal
Memoize chart components.
What to do
- Wrap with
React.memowith custom comparison - Ensure data objects are stable
Possible traps and issues
- Shallow comparison might not be enough
- Memoization has memory cost
Docs changes needed
- No documentation changes
Doc references
frontend/src/components/TopCountriesChart.tsx
[LOW] No request deduplication on frontend
Where found
frontend/src/hooks/useFetchData.ts— each call launches new request- User clicks "Refresh" twice → two identical requests
Why this is needed
Duplicates waste bandwidth, cause race conditions (response 2 arrives first, then response 1 overwrites with stale data).
Goal
Deduplicate identical in-flight requests.
What to do
- Implement request cache
- Clear cache entry when response received
- Use in
useFetchData
Possible traps and issues
- Cache must be cleared on data mutation
- Stale data in cache possible if not careful
Docs changes needed
- No documentation changes
Doc references
frontend/src/hooks/useFetchData.ts