fix(ai-apis): reject text inputs that are longer than 64K chars

julien-nc · julien-nc · commit ae728916a489 · 2025-11-10T16:39:04.000+01:00
Signed-off-by: Julien Veyssier &lt;julien-nc@posteo.net&gt;
diff --git a/core/Controller/TextProcessingApiController.php b/core/Controller/TextProcessingApiController.php
@@ -102,6 +102,9 @@ public function taskTypes(): DataResponse {
 	#[AnonRateLimit(limit: 5, period: 120)]
 	#[ApiRoute(verb: 'POST', url: '/schedule', root: '/textprocessing')]
 	public function schedule(string $input, string $type, string $appId, string $identifier = ''): DataResponse {
+		if (strlen($input) > 64_000) {
+			return new DataResponse(['message' => $this->l->t('Input text is too long')], Http::STATUS_BAD_REQUEST);
+		}
 		try {
 			$task = new Task($type, $input, $appId, $this->userId, $identifier);
 		} catch (InvalidArgumentException) {
diff --git a/core/Controller/TextToImageApiController.php b/core/Controller/TextToImageApiController.php
@@ -78,6 +78,9 @@ public function isAvailable(): DataResponse {
 	#[UserRateLimit(limit: 20, period: 120)]
 	#[ApiRoute(verb: 'POST', url: '/schedule', root: '/text2image')]
 	public function schedule(string $input, string $appId, string $identifier = '', int $numberOfImages = 8): DataResponse {
+		if (strlen($input) > 64_000) {
+			return new DataResponse(['message' => $this->l->t('Input text is too long')], Http::STATUS_BAD_REQUEST);
+		}
 		$task = new Task($input, $appId, $numberOfImages, $this->userId, $identifier);
 		try {
 			try {
diff --git a/core/Controller/TranslationApiController.php b/core/Controller/TranslationApiController.php
@@ -67,6 +67,9 @@ public function languages(): DataResponse {
 	#[AnonRateLimit(limit: 10, period: 120)]
 	#[ApiRoute(verb: 'POST', url: '/translate', root: '/translation')]
 	public function translate(string $text, ?string $fromLanguage, string $toLanguage): DataResponse {
+		if (strlen($text) > 64_000) {
+			return new DataResponse(['message' => $this->l10n->t('Input text is too long')], Http::STATUS_BAD_REQUEST);
+		}
 		try {
 			$translation = $this->translationManager->translate($text, $fromLanguage, $toLanguage);
 
diff --git a/lib/public/TaskProcessing/EShapeType.php b/lib/public/TaskProcessing/EShapeType.php
@@ -82,6 +82,9 @@ private function validateNonFileType(mixed $value): void {
 	 */
 	public function validateInput(mixed $value): void {
 		$this->validateNonFileType($value);
+		if ($this === EShapeType::Text && is_string($value) && strlen($value) > 64_000) {
+			throw new ValidationException('Text is too long');
+		}
 		if ($this === EShapeType::Image && !is_numeric($value)) {
 			throw new ValidationException('Non-image item provided for Image slot');
 		}
