We’ve confirmed the issue. When a user or app makes certain requests, it can trigger the adfExport function for your macro to run for every macro on every page in the results. Because this is an N+1 problem, it causes massive request spikes and is immediately blocked by rate limiting.
e.g. run a request like this for a macro that has an adfExport function
/wiki/rest/api/search
?cql=macro+IN+(“your-macro-key”)
&expand=content.body.export_view
You’ll notice you get hundreds or thousands of invocations if you paginate on those.
At scale, this looks like this:
This means users, other apps or vendors, can unknowingly perform Denial of Service attacks on others apps and wipe out their credits.
Doing the math:
- Each search result page requests 25 pages with their full content.
- Every page contains 25 macros, each running an
adfExportfunction. - That’s 25 × 25 = 625 function calls per search result page.
- Assuming 100 pages of results that is 625 x 100 = 62,500 invocations
At this point, your invocations never happen, but if they did, it would get worse:
- If each function makes 3 API calls, that is 625 × 3 = 1,875 requests per result page.
- Over 100 search result pages, you’ll get 1,875 × 100 = 187,500 API requests.
All of this happens in the space of 1-2 minutes, so it’s impossible to deal with regardless - I’m also not sure if this happens in other places - e.g. Rovo getting page content, re-indexing etc.