From 36d510e8c68e002359c6cb5cc0a82e4721b5f957 Mon Sep 17 00:00:00 2001
From: Stas Moreinis <stas.moreinis@scale.com>
Date: Wed, 24 Dec 2025 12:32:41 -0800
Subject: [PATCH] Add pagination bounds to prevent DoS via unbounded queries

- spans.py: Add Query validation (limit: 1-1000, page_number: >= 1)
- agent_api_keys.py: Add Query validation (limit: 1-1000, page_number: >= 1)

Prevents memory exhaustion from requests like ?limit=10000000
---
 agentex/src/api/routes/agent_api_keys.py | 6 +++---
 agentex/src/api/routes/spans.py          | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/agentex/src/api/routes/agent_api_keys.py b/agentex/src/api/routes/agent_api_keys.py
index 978f46c..dec3e00 100644
--- a/agentex/src/api/routes/agent_api_keys.py
+++ b/agentex/src/api/routes/agent_api_keys.py
@@ -1,6 +1,6 @@
 import secrets
 
-from fastapi import APIRouter, HTTPException
+from fastapi import APIRouter, HTTPException, Query
 
 from src.api.schemas.agent_api_keys import (
     AgentAPIKey,
@@ -79,8 +79,8 @@ async def list_agent_api_keys(
     agent_use_case: DAgentsUseCase,
     agent_id: str | None = None,
     agent_name: str | None = None,
-    limit: int = 50,
-    page_number: int = 1,
+    limit: int = Query(default=50, ge=1, le=1000),
+    page_number: int = Query(default=1, ge=1),
 ) -> list[AgentAPIKey]:
     if not agent_id and not agent_name:
         raise HTTPException(
diff --git a/agentex/src/api/routes/spans.py b/agentex/src/api/routes/spans.py
index c9ff6d3..65ef1d1 100644
--- a/agentex/src/api/routes/spans.py
+++ b/agentex/src/api/routes/spans.py
@@ -1,4 +1,4 @@
-from fastapi import APIRouter
+from fastapi import APIRouter, Query
 
 from src.api.schemas.spans import CreateSpanRequest, Span, UpdateSpanRequest
 from src.domain.use_cases.spans_use_case import DSpanUseCase
@@ -80,8 +80,8 @@ async def get_span(
 async def list_spans(
     span_use_case: DSpanUseCase,
     trace_id: str | None = None,
-    limit: int = 50,
-    page_number: int = 1,
+    limit: int = Query(default=50, ge=1, le=1000),
+    page_number: int = Query(default=1, ge=1),
     order_by: str | None = None,
     order_direction: str = "desc",
 ) -> list[Span]: