Skip to content

fix(ai-controller): add 2000 character max-length guard on queryBuilder prompt#274

Merged
yash-pouranik merged 2 commits into
geturbackend:mainfrom
aaniya22:fix/ai-query-builder-prompt-max-length
Jun 5, 2026
Merged

fix(ai-controller): add 2000 character max-length guard on queryBuilder prompt#274
yash-pouranik merged 2 commits into
geturbackend:mainfrom
aaniya22:fix/ai-query-builder-prompt-max-length

Conversation

@aaniya22
Copy link
Copy Markdown
Contributor

@aaniya22 aaniya22 commented Jun 5, 2026
edited by coderabbitai Bot
Loading

Closes #247

Problem

The queryBuilder controller validated that prompt was a non-empty
string but applied no upper-bound limit. This allowed arbitrarily large
prompts to be forwarded directly to the AI service, consuming unbounded
token quota per request.

Fix

Added a length check on safePrompt after trimming. Prompts exceeding
2000 characters are rejected with HTTP 400 before any AI service call
is made.

Changes

  • apps/dashboard-api/src/controllers/ai.controller.js: added max-length
    guard in queryBuilder after the empty-string check

Summary by CodeRabbit

  • Bug Fixes
    • Added validation to enforce a 2000-character limit on prompts. Requests exceeding this limit will now return an error.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Jun 5, 2026
edited
Loading

PR changed again? Review this PR in Change Stack to compare snapshots and stay oriented.

Review Change Stack

Warning

Review limit reached

@aaniya22, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 12 minutes and 36 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 07f077f9-44e7-4520-b922-6e14bc8acd32

📥 Commits

Reviewing files that changed from the base of the PR and between 508dd3b and 6bed995.

📒 Files selected for processing (1)
  • apps/dashboard-api/src/controllers/ai.controller.js
📝 Walkthrough

Walkthrough

The AI query builder controller now enforces a 2000-character maximum length on the prompt input. Requests exceeding this limit are rejected with HTTP 400 before forwarding to the Python service, preventing unbounded token consumption.

Changes

Prompt Length Constraint

Layer / File(s) Summary
Prompt length validation
apps/dashboard-api/src/controllers/ai.controller.js		 The queryBuilder controller validates that the trimmed prompt does not exceed 2000 characters and throws a 400 AppError if the limit is exceeded, before any forwarding to the Python service occurs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A prompt too long? No more, no more!
With 2000 chars, we've set the floor.
Tokens won't flee in a boundless spree—
Just right-sized words, wild and free!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: adding a 2000-character max-length validation guard to the AI controller's queryBuilder prompt parameter.
Linked Issues check ✅ Passed The code changes fully address all objectives from issue #247: trimming is implemented, max-length validation of 2000 characters is enforced, and HTTP 400 errors are returned before any AI service call.
Out of Scope Changes check ✅ Passed All changes are directly scoped to the stated objective of adding max-length validation to the queryBuilder prompt parameter with no unrelated modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

yash-pouranik
yash-pouranik requested changes Jun 5, 2026
View reviewed changes
Comment thread apps/dashboard-api/src/controllers/ai.controller.js Outdated
@yash-pouranik yash-pouranik merged commit b40bd78 into geturbackend:main Jun 5, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yash-pouranik yash-pouranik yash-pouranik approved these changes

@Nitin-kumar-yadav1307 Nitin-kumar-yadav1307 Awaiting requested review from Nitin-kumar-yadav1307 Nitin-kumar-yadav1307 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] dashboard-api: AI query builder accepts prompt with no max-length constraint, allowing unbounded token consumption on every AI request

2 participants

@aaniya22 @yash-pouranik