enforce cscli list limits and add metrics UI

hhftechnology · hhftechnology · commit b86afd3661b9 · 2026-03-01T19:00:53.000+05:30
add a hard safety cap for cscli list commands (constants.MaxListLimit) and an ExecCommandTimeout. Introduce DecisionListLimit and AlertListLimit config options (env vars DECISION_LIST_LIMIT, ALERT_LIST_LIMIT) and an EffectiveLimit helper to compute the applied limit. Update dashboard handlers to pass a --limit argument to cscli (use strconv) to prevent huge result sets and potential memory exhaustion. Enhance the Metrics page (web/src/pages/Metrics.tsx) to render structured metrics as tabbed tables with flattening logic and improved UI/ordering.
diff --git a/internal/api/handlers/dashboard.go b/internal/api/handlers/dashboard.go
@@ -4,11 +4,13 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"strconv"
 	"strings"
 	"time"
 
 	"crowdsec-manager/internal/cache"
 	"crowdsec-manager/internal/config"
+	"crowdsec-manager/internal/constants"
 	"crowdsec-manager/internal/database"
 	"crowdsec-manager/internal/docker"
 	"crowdsec-manager/internal/logger"
@@ -45,9 +47,9 @@ func GetDecisions(dockerClient *docker.Client, cfg *config.Config, ttlCache ...*
 
 		logger.Info("Getting CrowdSec decisions via cscli")
 
-		output, err := dockerClient.ExecCommand(cfg.CrowdsecContainerName, []string{
-			"cscli", "decisions", "list", "-o", "json",
-		})
+		limit := config.EffectiveLimit(cfg.DecisionListLimit, constants.MaxListLimit)
+		cmd := []string{"cscli", "decisions", "list", "-o", "json", "--limit", strconv.Itoa(limit)}
+		output, err := dockerClient.ExecCommand(cfg.CrowdsecContainerName, cmd)
 		if err != nil {
 			c.JSON(http.StatusInternalServerError, models.Response{
 				Success: false,
diff --git a/internal/api/handlers/dashboard_analysis.go b/internal/api/handlers/dashboard_analysis.go
@@ -4,10 +4,12 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"strconv"
 	"time"
 
 	"crowdsec-manager/internal/cache"
 	"crowdsec-manager/internal/config"
+	"crowdsec-manager/internal/constants"
 	"crowdsec-manager/internal/docker"
 	"crowdsec-manager/internal/logger"
 	"crowdsec-manager/internal/models"
@@ -22,7 +24,8 @@ func GetDecisionsAnalysis(dockerClient *docker.Client, cfg *config.Config) gin.H
 		dockerClient = resolveDockerClient(c, dockerClient)
 		logger.Info("Getting CrowdSec decisions analysis via cscli")
 
-		cmd := []string{"cscli", "decisions", "list", "-o", "json"}
+		limit := config.EffectiveLimit(cfg.DecisionListLimit, constants.MaxListLimit)
+		cmd := []string{"cscli", "decisions", "list", "-o", "json", "--limit", strconv.Itoa(limit)}
 
 		// Add filters based on query parameters
 		if v := c.Query("ip"); v != "" {
@@ -165,7 +168,8 @@ func GetAlertsAnalysis(dockerClient *docker.Client, cfg *config.Config, ttlCache
 		if v := c.Query("id"); v != "" {
 			cmd = []string{"cscli", "alerts", "inspect", v, "-o", "json"}
 		} else {
-			cmd = []string{"cscli", "alerts", "list", "-o", "json"}
+			alertLimit := config.EffectiveLimit(cfg.AlertListLimit, constants.MaxListLimit)
+			cmd = []string{"cscli", "alerts", "list", "-o", "json", "--limit", strconv.Itoa(alertLimit)}
 
 			// Add filters based on query parameters
 			if v := c.Query("ip"); v != "" {
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -35,13 +35,13 @@ type Config struct {
 	CrowdSecAcquisFile   string
 
 	// CrowdSec container-internal paths and URLs
-	CrowdSecWhitelistPath      string
-	CrowdSecProfilesPath       string
-	CrowdSecNotificationsDir   string
-	CrowdSecScenariosDir       string
-	CrowdSecMetricsURL         string
-	CrowdSecConsoleURL         string
-	CrowdSecCTIURLPattern      string
+	CrowdSecWhitelistPath    string
+	CrowdSecProfilesPath     string
+	CrowdSecNotificationsDir string
+	CrowdSecScenariosDir     string
+	CrowdSecMetricsURL       string
+	CrowdSecConsoleURL       string
+	CrowdSecCTIURLPattern    string
 
 	// Traefik container-internal paths
 	TraefikCaptchaHTMLPath     string
@@ -60,14 +60,17 @@ type Config struct {
 	GerbilContainerName   string
 	TraefikContainerName  string
 
-
 	// Services
 	Services             []string
 	ServicesWithCrowdsec []string
 	IncludeCrowdsec      bool
 	IncludePangolin      bool
 	IncludeGerbil        bool
 
+	// CrowdSec list limits (0 = unlimited)
+	DecisionListLimit int
+	AlertListLimit    int
+
 	// NATS Messaging (optional)
 	NatsURL     string
 	NatsToken   string
@@ -83,37 +86,37 @@ type Config struct {
 // It also creates required directories and dynamically builds service lists from compose file
 func Load() (*Config, error) {
 	cfg := &Config{
-		Port:                  getEnvAsInt("PORT", 8080),
-		Environment:           getEnv("ENVIRONMENT", "development"),
-		LogLevel:              getEnv("LOG_LEVEL", "info"),
-		LogFile:               getEnv("LOG_FILE", "./logs/crowdsec-manager.log"),
-		DockerHost:            getEnv("DOCKER_HOST", ""),
-		DockerHosts:           getEnv("DOCKER_HOSTS", ""),
-		ComposeFile:           getEnv("COMPOSE_FILE", "./docker-compose.yml"),
-		PangolinDir:           getEnv("PANGOLIN_DIR", "."),
-		ConfigDir:             getEnv("CONFIG_DIR", "./config"),
-		DatabasePath:          getEnv("DATABASE_PATH", "./data/settings.db"),
-		TraefikDynamicConfig:  getEnv("TRAEFIK_DYNAMIC_CONFIG", "/etc/traefik/dynamic_config.yml"),
-		TraefikStaticConfig:   getEnv("TRAEFIK_STATIC_CONFIG", "/etc/traefik/traefik_config.yml"),
-		TraefikAccessLog:      getEnv("TRAEFIK_ACCESS_LOG", "/var/log/traefik/access.log"),
-		TraefikErrorLog:       getEnv("TRAEFIK_ERROR_LOG", "/var/log/traefik/traefik.log"),
-		CrowdSecAcquisFile:     getEnv("CROWDSEC_ACQUIS_FILE", "/etc/crowdsec/acquis.yaml"),
-		CrowdSecWhitelistPath:      getEnv("CROWDSEC_WHITELIST_PATH", "/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml"),
-		CrowdSecProfilesPath:       getEnv("CROWDSEC_PROFILES_PATH", "/etc/crowdsec/profiles.yaml"),
-		CrowdSecNotificationsDir:   getEnv("CROWDSEC_NOTIFICATIONS_DIR", "/etc/crowdsec/notifications"),
-		CrowdSecScenariosDir:       getEnv("CROWDSEC_SCENARIOS_DIR", "/etc/crowdsec/scenarios"),
-		CrowdSecMetricsURL:         getEnv("CROWDSEC_METRICS_URL", "http://localhost:6060/metrics"),
-		CrowdSecConsoleURL:         getEnv("CROWDSEC_CONSOLE_URL", "https://app.crowdsec.net/"),
-		CrowdSecCTIURLPattern:      getEnv("CROWDSEC_CTI_URL_PATTERN", "https://app.crowdsec.net/cti/{{.Value}}"),
-		TraefikCaptchaHTMLPath:     getEnv("TRAEFIK_CAPTCHA_HTML_PATH", "/etc/traefik/conf/captcha.html"),
-		TraefikCaptchaEnvPath:      getEnv("TRAEFIK_CAPTCHA_ENV_PATH", "/etc/traefik/captcha.env"),
+		Port:                     getEnvAsInt("PORT", 8080),
+		Environment:              getEnv("ENVIRONMENT", "development"),
+		LogLevel:                 getEnv("LOG_LEVEL", "info"),
+		LogFile:                  getEnv("LOG_FILE", "./logs/crowdsec-manager.log"),
+		DockerHost:               getEnv("DOCKER_HOST", ""),
+		DockerHosts:              getEnv("DOCKER_HOSTS", ""),
+		ComposeFile:              getEnv("COMPOSE_FILE", "./docker-compose.yml"),
+		PangolinDir:              getEnv("PANGOLIN_DIR", "."),
+		ConfigDir:                getEnv("CONFIG_DIR", "./config"),
+		DatabasePath:             getEnv("DATABASE_PATH", "./data/settings.db"),
+		TraefikDynamicConfig:     getEnv("TRAEFIK_DYNAMIC_CONFIG", "/etc/traefik/dynamic_config.yml"),
+		TraefikStaticConfig:      getEnv("TRAEFIK_STATIC_CONFIG", "/etc/traefik/traefik_config.yml"),
+		TraefikAccessLog:         getEnv("TRAEFIK_ACCESS_LOG", "/var/log/traefik/access.log"),
+		TraefikErrorLog:          getEnv("TRAEFIK_ERROR_LOG", "/var/log/traefik/traefik.log"),
+		CrowdSecAcquisFile:       getEnv("CROWDSEC_ACQUIS_FILE", "/etc/crowdsec/acquis.yaml"),
+		CrowdSecWhitelistPath:    getEnv("CROWDSEC_WHITELIST_PATH", "/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml"),
+		CrowdSecProfilesPath:     getEnv("CROWDSEC_PROFILES_PATH", "/etc/crowdsec/profiles.yaml"),
+		CrowdSecNotificationsDir: getEnv("CROWDSEC_NOTIFICATIONS_DIR", "/etc/crowdsec/notifications"),
+		CrowdSecScenariosDir:     getEnv("CROWDSEC_SCENARIOS_DIR", "/etc/crowdsec/scenarios"),
+		CrowdSecMetricsURL:       getEnv("CROWDSEC_METRICS_URL", "http://localhost:6060/metrics"),
+		CrowdSecConsoleURL:       getEnv("CROWDSEC_CONSOLE_URL", "https://app.crowdsec.net/"),
+		CrowdSecCTIURLPattern:    getEnv("CROWDSEC_CTI_URL_PATTERN", "https://app.crowdsec.net/cti/{{.Value}}"),
+		TraefikCaptchaHTMLPath:   getEnv("TRAEFIK_CAPTCHA_HTML_PATH", "/etc/traefik/conf/captcha.html"),
+		TraefikCaptchaEnvPath:    getEnv("TRAEFIK_CAPTCHA_ENV_PATH", "/etc/traefik/captcha.env"),
 		TraefikDynamicConfigSearch: []string{
 			"/etc/traefik/config/dynamic_config.yml",
 			"/etc/traefik/dynamic_config.yaml",
 			"/etc/traefik/config/dynamic_config.yaml",
 		},
-		CaptchaGracePeriod:         getEnvAsInt("CAPTCHA_GRACE_PERIOD", 1800),
-		BackupDir:              getEnv("BACKUP_DIR", "./backups"),
+		CaptchaGracePeriod:    getEnvAsInt("CAPTCHA_GRACE_PERIOD", 1800),
+		BackupDir:             getEnv("BACKUP_DIR", "./backups"),
 		RetentionDays:         getEnvAsInt("RETENTION_DAYS", 60),
 		BackupItems:           []string{"docker-compose.yml", "config"},
 		CrowdsecContainerName: getEnv("CROWDSEC_CONTAINER_NAME", "crowdsec"),
@@ -123,6 +126,8 @@ func Load() (*Config, error) {
 		IncludeCrowdsec:       getEnvAsBool("INCLUDE_CROWDSEC", true),
 		IncludePangolin:       getEnvAsBool("INCLUDE_PANGOLIN", true),
 		IncludeGerbil:         getEnvAsBool("INCLUDE_GERBIL", true),
+		DecisionListLimit:     getEnvAsInt("DECISION_LIST_LIMIT", 200),
+		AlertListLimit:        getEnvAsInt("ALERT_LIST_LIMIT", 200),
 		NatsURL:               getEnv("NATS_URL", ""),
 		NatsToken:             getEnv("NATS_TOKEN", ""),
 		NatsEnabled:           getEnvAsBool("NATS_ENABLED", false),
@@ -212,6 +217,16 @@ func (c *Config) GetServices() []string {
 	return c.Services
 }
 
+// EffectiveLimit returns the effective list limit, applying the hard safety cap.
+// If the configured limit is 0 (unlimited), it returns maxLimit.
+// If the configured limit exceeds maxLimit, it returns maxLimit.
+func EffectiveLimit(configured, maxLimit int) int {
+	if configured <= 0 || configured > maxLimit {
+		return maxLimit
+	}
+	return configured
+}
+
 // getEnv retrieves an environment variable or returns the default value if not set
 func getEnv(key, defaultValue string) string {
 	if value := os.Getenv(key); value != "" {
diff --git a/internal/constants/constants.go b/internal/constants/constants.go
@@ -30,6 +30,16 @@ const CrowdSecConfigSubdir = "crowdsec"
 // DefaultWebSocketBufferSize is the default buffer size for WebSocket read/write operations
 const DefaultWebSocketBufferSize = 4096
 
+// MaxListLimit is the hard safety cap for cscli list commands.
+// Even when the user sets limit=0 (unlimited), we enforce this cap to prevent
+// memory exhaustion from very large result sets (e.g. 10,000+ decisions/alerts).
+// Matches CrowdSec's default DB retention of 5,000 items.
+const MaxListLimit = 5000
+
+// ExecCommandTimeout is the timeout for cscli commands executed inside containers.
+// Prevents hanging if cscli takes too long on large datasets.
+const ExecCommandTimeout = 60 * time.Second
+
 // ExternalHTTPTimeout is the timeout for outbound HTTP requests (IP lookups, etc.)
 const ExternalHTTPTimeout = 10 * time.Second
 
diff --git a/web/src/pages/Metrics.tsx b/web/src/pages/Metrics.tsx
