Severity
High
Files
app/backend/src/search/, app/backend/src/referrals/, app/backend/src/booking/**
Description
Several full-text-search and filtering endpoints accept arbitrary query strings without length limits, and may allow deeply nested filters. Without limits, an attacker can craft requests that time-out the DB.
Acceptance Criteria
- Cap query string length at e.g. 256 chars (configurable)
- Cap filter complexity (max OR clauses, max AND nesting)
- Add a test: a deeply nested filter returns 400 Bad Request
- Document limits in docs/api/query-limits.md
Severity
High
Files
app/backend/src/search/, app/backend/src/referrals/, app/backend/src/booking/**
Description
Several full-text-search and filtering endpoints accept arbitrary
querystrings without length limits, and may allow deeply nested filters. Without limits, an attacker can craft requests that time-out the DB.Acceptance Criteria