[Bug] dashboard-api: AI query builder accepts prompt with no max-length constraint, allowing unbounded token consumption on every AI request

[anshul23102]

Bug Summary

The queryBuilder controller in apps/dashboard-api/src/controllers/ai.controller.js validates that prompt is a non-empty string, but applies no upper-bound constraint on its length:

const safePrompt = prompt.trim();

if (!safeCollectionName || !safePrompt) {
    throw new AppError(400, "Collection name and prompt are required");
}

// safePrompt is forwarded to the Python AI service with no length cap
const result = await forwardToPythonService('/query-builder', {
    prompt: safePrompt,
    schema: schemaFields,
    ...
});

An authenticated developer can submit a prompt containing hundreds of thousands of characters. This payload is forwarded directly to the underlying LLM service via forwardToPythonService. Each token in the prompt consumes quota from the project's or platform's AI allocation. A single oversized prompt can exhaust a plan's monthly AI credits in one request.

Steps to Reproduce

1. Log in as a developer with any plan.
2. POST to /api/projects/:id/ai/query-builder with { "collectionName": "items", "prompt": "<100,000 character string>" }.
3. Observe the full prompt is forwarded to the AI service and the response returns successfully.

Expected Behavior

safePrompt should be capped at a practical maximum length (for example, 2000 characters). Requests exceeding the limit should be rejected with HTTP 400 before any AI service call is made.

Actual Behavior

Prompts of arbitrary length are accepted and forwarded to the AI service, consuming unbounded token quota per request.

Affected File

apps/dashboard-api/src/controllers/ai.controller.js, queryBuilder function.

---

@geturbackend I would like to work on this issue. Could you please assign/ it to me? Contributing under NSoC '26.

[shravya290706]

Hi
I would like to work on this issue under SSOC'26.
Kindly assign this issue to me.
Thank you!

[anshul23102]

Hi @yash-pouranik, I am the author of this issue and would like to work on it under GSSoC '26.

I have traced the root cause and have a targeted fix ready for the unbounded prompt length in the AI query builder allowing unlimited token consumption.

I will request formal assignment once my work on issue #245 is complete, in line with the one-issue-at-a-time rule. Flagging my interest here so the issue stays on your radar.

GSSoC '26

[yash-pouranik]

cannot assign anyone of u, as already assigned in some other issue

[yash-pouranik]

@shravya290706
Are u not in gssoc?

[anshul23102]

@yash-pouranik My PR for issue #245 is now open (#256). Could you please assign/ this issue to me? I'd like to work on it under GSSoC '26. Thank you.

[yash-pouranik]

broo why spamming??? again and again??
I told u na, that I can only assign 1.
and just for now assigned 2 issues.

[shravya290706]

@yash-pouranik Not yet, i have applied for gssoc,

[yash-pouranik]

actually I really dont know about, ssoc, like what are the labels and all.

[aaniya22]

pls assign this to me under gssoc'26

[yash-pouranik]

@aaniya22
Share approach

[aaniya22]

I plan to resolve this by adding an explicit length validation check within the ⁠queryBuilder⁠ function inside ⁠apps/dashboard-api/src/controllers/ai.controller.js⁠ (⁠image_4.png⁠):
1 Enforce an Upper Bound: Define a strict maximum character limit (e.g., ⁠MAX_PROMPT_LENGTH = 2000⁠) right after string normalization (⁠image_3.png⁠).
2 Early Rejection: If ⁠safePrompt.length⁠ exceeds this threshold, the API will immediately throw a ⁠400 Bad Request⁠ ⁠AppError⁠ before making any heavy downstream calls to ⁠forwardToPythonService⁠ (⁠image_2.png⁠, ⁠image_3.png⁠).
3 Validation: Test to ensure standard prompts process smoothly while payloads exceeding the limit are blocked instantly at the controller layer.
Could you please assign this issue to me? I'd love to open a PR for it.

[yash-pouranik]

okay
I follow 1 issue per contibutor
So go ahead with this only.
@aaniya22

[aaniya22]

ok