From c30fda58626cc1ddb193bacd091c30d091dd9d7b Mon Sep 17 00:00:00 2001
From: root <root@DESKTOP-V9DGVF3.localdomain>
Date: Tue, 20 Jan 2026 22:15:40 +0400
Subject: [PATCH] fix: cap max_results to 1000 to prevent DoS

---
 src/server/api.rs | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/server/api.rs b/src/server/api.rs
index bd5cc8a..920c9fd 100644
--- a/src/server/api.rs
+++ b/src/server/api.rs
@@ -241,7 +241,10 @@ async fn search(
         }
     };
 
-    let candidates = match db.search_similar(&query_embedding, &abs_path, req.max_results * 3) {
+    // Limit max_results to prevent DoS/OOM
+    let max_results = req.max_results.min(1000);
+
+    let candidates = match db.search_similar(&query_embedding, &abs_path, max_results * 3) {
         Ok(c) => c,
         Err(e) => {
             return (
@@ -287,7 +290,7 @@ async fn search(
             .unwrap_or(std::cmp::Ordering::Equal)
     });
 
-    results.truncate(req.max_results);
+    results.truncate(max_results);
 
     let total = results.len();