Skip to content

[backend][security] Search/SQL endpoints lack query size and complexity limits #533

Description

@Xhristin3

Severity

High

Files

app/backend/src/search/, app/backend/src/referrals/, app/backend/src/booking/**

Description

Several full-text-search and filtering endpoints accept arbitrary query strings without length limits, and may allow deeply nested filters. Without limits, an attacker can craft requests that time-out the DB.

Acceptance Criteria

  • Cap query string length at e.g. 256 chars (configurable)
  • Cap filter complexity (max OR clauses, max AND nesting)
  • Add a test: a deeply nested filter returns 400 Bad Request
  • Document limits in docs/api/query-limits.md

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions