Summary
Several TypeBox schemas use Type.String() without a maxLength constraint. Unbounded string inputs risk memory exhaustion, slow database queries, and excessively large log entries.
Affected Files
src/api_groups.ts — route params (id, etc.) have no length limitsrc/models.ts — multiple string fields in production, line, user, and ingest schemas lack maxLength
Examples
// api_groups.ts
Type.Object({ id: Type.String() }) // no maxLength
// models.ts
name: Type.String({ minLength: 1 }) // minLength set, maxLength missingRecommendation
Add appropriate maxLength values based on business rules:
// IDs / short identifiers
id: Type.String({ maxLength: 128 })
// Human-readable names
name: Type.String({ minLength: 1, maxLength: 200 })
// Free-text fields
description: Type.String({ maxLength: 2000 })Fastify's AJV validation will automatically reject oversized payloads with a 400 response.
Severity
Low — Defence-in-depth; limits blast radius of malformed or malicious inputs.
Found by automated security audit.
Summary
Several TypeBox schemas use
Type.String()without amaxLengthconstraint. Unbounded string inputs risk memory exhaustion, slow database queries, and excessively large log entries.Affected Files
src/api_groups.ts— route params (id, etc.) have no length limitsrc/models.ts— multiple string fields in production, line, user, and ingest schemas lackmaxLengthExamples
Recommendation
Add appropriate
maxLengthvalues based on business rules:Fastify's AJV validation will automatically reject oversized payloads with a 400 response.
Severity
Low — Defence-in-depth; limits blast radius of malformed or malicious inputs.
Found by automated security audit.