Missing Input Length Validation on LLM Chat Route

[devprashant19]

Component: Node.js Backend / Groq Integration
Files Affected: backend/routes/chatRoutes.js

Description

The user's message input provided to the /chat route is passed directly to the Groq API without any string length validation or truncation. An attacker or malicious bot could send an excessively large string (e.g., millions of characters) in a single payload. This forces the Node server to parse a massive JSON body and forwards excessive input tokens to the Groq LLM, potentially causing rapid API quota exhaustion and unexpected billing spikes.

Proposed Fix

1. Add input validation at the top of the /chat POST route.
2. Check message.length and reject payloads that exceed a reasonable bound (e.g., > 1000 characters) with a 400 Bad Request.

[github-actions]

👋 Welcome back! Thanks for your continued contribution. Your issue/PR is received and waiting for maintainer review.

[github-actions]

The issue involves the lack of input length validation in the /chat route of a Node.js backend that integrates with the Groq API. This allows attackers to send excessively large payloads, which can overwhelm the server and rapidly consume API quotas, leading to potential billing spikes. A proposed fix is to implement input validation to reject messages exceeding a reasonable character limit (e.g., 1000 characters) with a 400 Bad Request response.

[devprashant19]

@Userunknown84 I would like to work on this issue, please assign me