Problem
The study plan extraction endpoint accepts arbitrary text input from the user and forwards it directly to the Gemini API without enforcing any maximum length. A user can submit an extremely large text block (e.g., an entire textbook chapter or a several-thousand-word document) as a single prompt, consuming a large number of language model tokens per request. Repeated or automated oversized requests exhaust the project's API quota rapidly, causing the service to fail for all users.
Steps to Reproduce
- Open the study plan input field
- Paste a document with 50,000+ characters
- Submit the form
- Observe the full text is sent to the external API with no truncation or rejection
Proposed Fix
Enforce a character limit on the input field both client-side (for UX) and server-side (for security):
const MAX_INPUT_CHARS = 3000;
router.post("/extract", async (req, res) => {
const { prompt } = req.body;
if (!prompt || typeof prompt !== "string") {
return res.status(400).json({ error: "Input is required." });
}
if (prompt.length > MAX_INPUT_CHARS) {
return res.status(413).json({
error: `Input exceeds the maximum allowed length of ${MAX_INPUT_CHARS} characters.`
});
}
// proceed with API call
});
Complexity: Level 2 | Program: GSSOC '26
Problem
The study plan extraction endpoint accepts arbitrary text input from the user and forwards it directly to the Gemini API without enforcing any maximum length. A user can submit an extremely large text block (e.g., an entire textbook chapter or a several-thousand-word document) as a single prompt, consuming a large number of language model tokens per request. Repeated or automated oversized requests exhaust the project's API quota rapidly, causing the service to fail for all users.
Steps to Reproduce
Proposed Fix
Enforce a character limit on the input field both client-side (for UX) and server-side (for security):
Complexity: Level 2 | Program: GSSOC '26