fix(security): cap PersonController size param at 50 to prevent resource exhaustion

Addresses @Nora review: ?sort=documentCount&size=999999 could trigger a full-table query and large serialization. Cap enforced at controller boundary. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-07 22:18:04 +02:00
parent 92587b050e
commit 9b5547757a
2 changed files with 14 additions and 1 deletions
--- a/backend/src/main/java/org/raddatz/familienarchiv/person/PersonController.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/person/PersonController.java
@@ -40,7 +40,8 @@ public class PersonController {
            @RequestParam(required = false, defaultValue = "0") int size,
            @RequestParam(required = false) String sort) {
        if ("documentCount".equals(sort) && size > 0 && q == null) {
-            return ResponseEntity.ok(personService.findTopByDocumentCount(size));
+            int safeSize = Math.min(size, 50);
+            return ResponseEntity.ok(personService.findTopByDocumentCount(safeSize));
        }
        return ResponseEntity.ok(personService.findAll(q));
    }