Luke's note looks good to me.
Regarding image_properties and image_tags table, +1 to what Brian mentioned. But, the solution there is rate-limiting again. So, if we are recommending that people use rate-limiting in general, what Brian mentioned would be addressed with that (unless we are recommending rate-limiting specifically on image create, which we we are not. So, we should be okay).
Also, I wonder if we should mention explicitly that rate-limiting really doesn't eliminate the attack mentioned here. It only slows it down.
Luke's note looks good to me.
Regarding image_properties and image_tags table, +1 to what Brian mentioned. But, the solution there is rate-limiting again. So, if we are recommending that people use rate-limiting in general, what Brian mentioned would be addressed with that (unless we are recommending rate-limiting specifically on image create, which we we are not. So, we should be okay).
Also, I wonder if we should mention explicitly that rate-limiting really doesn't eliminate the attack mentioned here. It only slows it down.