Severity: High (Appsec H3, Quality M4)
`src/server/app.ts:42-43`, `src/server/routes/feed.tsx:88-89` — `limit` and `offset` query params are parsed with `parseInt` but never validated. Issues:
- `?limit=999999999` causes memory exhaustion
- `?limit=abc` produces NaN, passed to DB query
- Negative values not rejected
Recommendation: Clamp limit to a max (e.g., 200), validate non-negative, default on NaN.
Severity: High (Appsec H3, Quality M4)
`src/server/app.ts:42-43`, `src/server/routes/feed.tsx:88-89` — `limit` and `offset` query params are parsed with `parseInt` but never validated. Issues:
Recommendation: Clamp limit to a max (e.g., 200), validate non-negative, default on NaN.