Description
The GET /history/search endpoint defines q as:
q: str = Query(..., min_length=1)
There is no max_length, so callers can pass arbitrarily large strings. Since q is passed directly to an FTS5 MATCH expression in database.py:search_entries(), a very large or complex FTS5 expression can cause excessive CPU and memory usage on the server (especially with FTS5's wildcard and prefix matching features).
Affected Files
backend/app/routers/history.py:52 — missing max_length on q Query parambackend/app/services/database.py:96 — FTS5 MATCH expression accepts unbounded input
Expected Behavior
q should have max_length=200 (or similar) to prevent abuse:
q: str = Query(..., min_length=1, max_length=200)
Labels
type:bug, level:intermediate, gssoc2026
Description
The
GET /history/searchendpoint definesqas:There is no
max_length, so callers can pass arbitrarily large strings. Sinceqis passed directly to an FTS5MATCHexpression indatabase.py:search_entries(), a very large or complex FTS5 expression can cause excessive CPU and memory usage on the server (especially with FTS5's wildcard and prefix matching features).Affected Files
backend/app/routers/history.py:52— missingmax_lengthonqQuery parambackend/app/services/database.py:96— FTS5 MATCH expression accepts unbounded inputExpected Behavior
qshould havemax_length=200(or similar) to prevent abuse:Labels
type:bug, level:intermediate, gssoc2026