fix(SEC-API-19+20): Validate brain search length and limit params

- Add @MaxLength(500) to BrainQueryDto.query and BrainQueryDto.search fields - Create BrainSearchDto with validated q (max 500 chars) and limit (1-100) fields - Update BrainController.search to use BrainSearchDto instead of raw query params - Add defensive validation in BrainService.search and BrainService.query methods: - Reject search terms exceeding 500 characters with BadRequestException - Clamp limit to valid range [1, 100] for defense-in-depth - Add comprehensive tests for DTO validation and service-level guards - Update existing controller tests for new search method signature Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-06 13:29:03 -06:00
parent ef1f1eee9d
commit 17cfeb974b
6 changed files with 299 additions and 30 deletions
--- a/apps/api/src/brain/dto/brain-query.dto.ts
+++ b/apps/api/src/brain/dto/brain-query.dto.ts
@@ -7,6 +7,7 @@ import {
  IsInt,
  Min,
  Max,
+  MaxLength,
  IsDateString,
  IsArray,
  ValidateNested,
@@ -105,6 +106,7 @@ export class BrainQueryDto {

  @IsOptional()
  @IsString()
+  @MaxLength(500, { message: "query must not exceed 500 characters" })
  query?: string;

  @IsOptional()
@@ -129,6 +131,7 @@ export class BrainQueryDto {

  @IsOptional()
  @IsString()
+  @MaxLength(500, { message: "search must not exceed 500 characters" })
  search?: string;

  @IsOptional()
@@ -162,3 +165,17 @@ export class BrainContextDto {
  @Max(30)
  eventDays?: number;
 }
+
+export class BrainSearchDto {
+  @IsOptional()
+  @IsString()
+  @MaxLength(500, { message: "q must not exceed 500 characters" })
+  q?: string;
+
+  @IsOptional()
+  @Type(() => Number)
+  @IsInt({ message: "limit must be an integer" })
+  @Min(1, { message: "limit must be at least 1" })
+  @Max(100, { message: "limit must not exceed 100" })
+  limit?: number;
+}
--- a/apps/api/src/brain/dto/index.ts
+++ b/apps/api/src/brain/dto/index.ts
@@ -1,5 +1,6 @@
 export {
  BrainQueryDto,
+  BrainSearchDto,
  TaskFilter,
  EventFilter,
  ProjectFilter,