Summary
The public GET /api/prompts endpoint currently parses page and perPage directly from query params without bounding them.
Impact
A client can request arbitrarily large perPage values (or malformed values) and force oversized database reads / response payloads on a public endpoint.
Reproduction
GET /api/prompts?perPage=1000000&page=1
Expected
page should be normalized to a sane positive integerperPage should be clamped to a small public maximum- malformed values should fall back to defaults instead of propagating unexpected
NaN / oversized values
Proposed fix
Add a small pagination parser for the public endpoint that defaults invalid values and clamps perPage to a public maximum.
Summary
The public
GET /api/promptsendpoint currently parsespageandperPagedirectly from query params without bounding them.Impact
A client can request arbitrarily large
perPagevalues (or malformed values) and force oversized database reads / response payloads on a public endpoint.Reproduction
Expected
pageshould be normalized to a sane positive integerperPageshould be clamped to a small public maximumNaN/ oversized valuesProposed fix
Add a small pagination parser for the public endpoint that defaults invalid values and clamps
perPageto a public maximum.