There are some DTOs that are not validated and their properties are decorated with @Allow() because the properties are sent to Formio in the dryRun process. An attacker could send very large value in those DTOs trying to crash it. Even those DTOs can have some kind of length restriction to avoid it e.g.: EducationProgramAPIInDTO
![image.png]
Acceptance Criteria
[ ] Find DTOs with @Allow() only and find their maximum lengths in the DB;
There are some DTOs that are not validated and their properties are decorated with
@Allow()
because the properties are sent to Formio in the dryRun process. An attacker could send very large value in those DTOs trying to crash it. Even those DTOs can have some kind of length restriction to avoid it e.g.: EducationProgramAPIInDTO![image.png]
Acceptance Criteria
@Allow()
only and find their maximum lengths in the DB;@ArrayMaxSize()
to arrays;