From be58352925df280d18c4fc66ce4ac58c980c3627 Mon Sep 17 00:00:00 2001
From: fallenbagel <98979876+Fallenbagel@users.noreply.github.com>
Date: Mon, 16 Feb 2026 09:41:01 +0800
Subject: [PATCH] feat(routing): add validation for ruleIds in reorder endpoint

---
 server/routes/settings/routingRule.ts | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/server/routes/settings/routingRule.ts b/server/routes/settings/routingRule.ts
index 0cf84dff..825deae2 100644
--- a/server/routes/settings/routingRule.ts
+++ b/server/routes/settings/routingRule.ts
@@ -331,6 +331,19 @@ routingRuleRoutes.post(
     try {
       const { ruleIds } = req.body as { ruleIds: number[] };
 
+      const MAX_RULE_IDS = 1000;
+
+      if (!Array.isArray(ruleIds)) {
+        return next({ status: 400, message: 'ruleIds must be an array.' });
+      }
+
+      if (ruleIds.length > MAX_RULE_IDS) {
+        return next({
+          status: 400,
+          message: `Too many ruleIds provided. Maximum allowed is ${MAX_RULE_IDS}.`,
+        });
+      }
+
       const rules = await routingRuleRepository.findBy({ id: In(ruleIds) });
       const fallbackIds = new Set(
         rules.filter((r) => r.isFallback).map((r) => r.id)