This is a bounty to fix a missing input validation vulnerability (DoS via long query strings) on a search endpoint in a Node.js application. The task involves adding length limits, trimming, and sanitization to the search query parameter. The bounty is explicitly funded and limited to the issue author, meaning it's a direct piece of paid work if claimed.
A starter prompt for Claude Code, what you'll need, and how to reach them.
You are an expert Node.js developer. The task is to fix a Denial of Service (DoS) vulnerability on a search endpoint by adding input validation. Specifically, in `apps/api/src/controllers/searchController.js`, I need you to modify the `GET /api/search` endpoint's handling of `req.query.q`. Implement logic to: 1. Trim leading/trailing whitespace. 2. Limit the query string length to a maximum of 200 characters. 3. Sanitize the input to prevent common XSS or injection vectors, using a library like `express-validator` or a similar robust method. Provide the full updated `searchController.js` file and any necessary package.json changes for new dependencies. Also, provide a unit test file using `mocha` and `chai` that demonstrates the vulnerability is fixed (e.g., sending an overly long query results in an error or truncated input). Use `Next.js 16 App Router`, `React 19`, `Tailwind v4`, and `AI SDK v6 with Gemini` for any UI components if a demo frontend is needed (though for this backend fix, focus on the Node.js controller and tests). The output should be a single markdown block with the updated controller code, relevant package.json updates, and the unit test file.
Developers and teams using `forge-kit` or `repo-gardener` to automate their build loops and repository health could benefit from a service that automatically identifies and flags such security vulnerabilities as issues to be fixed.
Bounty (amount on the issue). ## Bug: Missing Input Validation on Search Query **Description:** The `GET /api/search` endpoint passes `req.query.q` directly to the search service without any validation or length limits. An attacker could send extremely long query strings to consume server resources. **File:** `apps/api/src/controllers/searchController.js` **Expected behavior:** The search query should be validated — trimmed, limited in length (e.g., 200 chars), and sanitized. **Impact:** Low-Medium — potential DoS via overly long query strings. This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information.
Standard for any dev work.
Core backend skills for the operator.
Familiarity with forking, cloning, PRs.
Review common sanitization techniques for web inputs - ~few hours.
Learn it: Search getting-started ↗
Create another issue with the exact same contents as issue #1781 and refer to issue #743 for more information, as explicitly stated in the bounty description. The issue author states 'only the issue author can attempt to solve this issue'.
“I've re-created the issue as requested and am ready to implement the input validation fix for the search endpoint. I can deliver a tested PR by [date] to resolve the DoS vulnerability.”
Open the original ↗