fix(security): unbounded limit parameter in user search can be

The `index(string $filter = '', int $limit = 5)` method accepts client-controlled `limit` and passes it directly to collaborator search. Without an upper bound, an attacker can request very large limits, causing expensive directory lookups and increased response size.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>

Author: tomaioo

lib/Controller/UserApiController.php

@@ -55,6 +55,7 @@ public function index(string $filter = '', int $limit = 5): DataResponse {
 
 		if (!$this->getSession()->isGuest()) {
 			// Add other users to the autocomplete list
+			$limit = min($limit, 50);
 			[$result] = $this->collaboratorSearch->search($filter, [IShare::TYPE_USER], false, $limit, 0);
 			$userSearch = array_merge($result['users'], $result['exact']['users']);