Skip to content

[SECURITY] No maximum input length on the task extraction prompt sent to the external language model API, allowing quota exhaustion via oversized inputs #1201

Description

@anshul23102

Problem

The study plan extraction endpoint accepts arbitrary text input from the user and forwards it directly to the Gemini API without enforcing any maximum length. A user can submit an extremely large text block (e.g., an entire textbook chapter or a several-thousand-word document) as a single prompt, consuming a large number of language model tokens per request. Repeated or automated oversized requests exhaust the project's API quota rapidly, causing the service to fail for all users.

Steps to Reproduce

  1. Open the study plan input field
  2. Paste a document with 50,000+ characters
  3. Submit the form
  4. Observe the full text is sent to the external API with no truncation or rejection

Proposed Fix

Enforce a character limit on the input field both client-side (for UX) and server-side (for security):

const MAX_INPUT_CHARS = 3000;

router.post("/extract", async (req, res) => {
  const { prompt } = req.body;
  if (!prompt || typeof prompt !== "string") {
    return res.status(400).json({ error: "Input is required." });
  }
  if (prompt.length > MAX_INPUT_CHARS) {
    return res.status(413).json({
      error: `Input exceeds the maximum allowed length of ${MAX_INPUT_CHARS} characters.`
    });
  }
  // proceed with API call
});

Complexity: Level 2 | Program: GSSOC '26

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions