Cap AI search query length at 2000 chars (#61479)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Kevin Heis <heiskr@users.noreply.github.com>

Author: 3 people

src/search/components/input/SearchOverlay.tsx

@@ -22,6 +22,7 @@ import type { AIReference } from '../types'
 import type { AutocompleteSearchHit, GeneralSearchHit } from '@/search/types'
 
 import { sanitizeSearchQuery } from '@/search/lib/sanitize-search-query'
+import { MAX_QUERY_LENGTH } from '@/search/lib/ai-search-constants'
 
 import {
   SearchContext,
@@ -693,6 +694,7 @@ export function SearchOverlay({
             ref={inputRef}
             value={urlSearchInputQuery}
             onChange={handleSearchQueryChange}
+            maxLength={MAX_QUERY_LENGTH}
             leadingVisual={<SearchIcon />}
             role="combobox"
             // In AskAI the search input not longer "controls" the suggestions list, because there is no list, so we remove the aria-controls attribute

src/search/lib/ai-search-constants.ts

@@ -0,0 +1,4 @@
+// Maximum query length (chars) we will forward to cse-copilot. Larger
+// payloads are almost always pasted docs pages or unrelated content
+// and either time out or return no-answer. See github/cse-copilot#1214.
+export const MAX_QUERY_LENGTH = 2000

src/search/lib/ai-search-proxy.ts

@@ -6,6 +6,7 @@ import { getHmacWithEpoch } from '@/search/lib/helpers/get-cse-copilot-auth'
 import { getCSECopilotSource } from '@/search/lib/helpers/cse-copilot-docs-versions'
 import type { ExtendedRequest } from '@/types'
 import { handleExternalSearchAnalytics } from '@/search/lib/helpers/external-search-analytics'
+import { MAX_QUERY_LENGTH } from '@/search/lib/ai-search-constants'
 
 const logger = createLogger(import.meta.url)
 
@@ -26,6 +27,19 @@ export const aiSearchProxy = async (req: ExtendedRequest, res: Response) => {
     errors.push({ message: `Invalid 'query' in request body. Must be a string` })
   }
 
+  if (typeof query === 'string' && query.length > MAX_QUERY_LENGTH) {
+    statsd.increment('ai-search.query_too_large', 1, [
+      `version:${version}`,
+      `language:${req.language}`,
+      `queryLength:${query.length}`,
+    ])
+    res.status(413).json({
+      errors: [{ message: `Query exceeds maximum length of ${MAX_QUERY_LENGTH} characters` }],
+      upstreamStatus: 413,
+    })
+    return
+  }
+
   let docsSource = ''
   try {
     docsSource = getCSECopilotSource(version)

src/search/tests/api-ai-search.ts

@@ -2,6 +2,7 @@ import { expect, test, describe, beforeAll, afterAll } from 'vitest'
 
 import { post } from '@/tests/helpers/e2etest'
 import { startMockServer, stopMockServer } from '@/tests/mocks/start-mock-server'
+import { MAX_QUERY_LENGTH } from '@/search/lib/ai-search-constants'
 
 describe('AI Search Routes', () => {
   beforeAll(() => {
@@ -183,6 +184,23 @@ describe('AI Search Routes', () => {
     expect(responseBody.errors[0].message).toBe("Invalid 'query' in request body. Must be a string")
   })
 
+  test('should reject queries longer than the maximum allowed length', async () => {
+    const longQuery = 'a'.repeat(MAX_QUERY_LENGTH + 1)
+    const response = await post('/api/ai-search/v1', {
+      body: JSON.stringify({ query: longQuery, version: 'dotcom' }),
+      headers: { 'Content-Type': 'application/json' },
+    })
+
+    const responseBody = JSON.parse(response.body)
+
+    expect(response.statusCode).toBe(413)
+    expect(responseBody.upstreamStatus).toBe(413)
+    expect(responseBody.errors).toBeDefined()
+    expect(responseBody.errors[0].message).toBe(
+      `Query exceeds maximum length of ${MAX_QUERY_LENGTH} characters`,
+    )
+  })
+
   test('should handle malformed JSON in request body', async () => {
     const response = await post('/api/ai-search/v1', {
       body: '{ invalid json }',