elastic · clintandrewhall · Mar 25, 2026 · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026
@@ -91,7 +91,8 @@ export const registerAccessControl = async ({
               schema.object({
                 type: schema.string(),
                 id: schema.string(),
-              })
+              }),
+              { maxSize: 100 }
             ),
             accessMode: schema.oneOf([
               schema.literal('write_restricted'),
@@ -103,6 +104,7 @@ export const registerAccessControl = async ({
           200: {
             body: () =>
               schema.object({
+                // codeql[js/kibana/unbounded-array-in-schema] output schema — server controls the response size
                 results: schema.arrayOf(
                   schema.object({
                     type: schema.string(),

@@ -20,6 +20,7 @@ export interface FavoritesSavedObjectAttributes {
 const schemaV1 = schema.object({
   userId: schema.string(),
   type: schema.string(), // object type, e.g. dashboard
+  // codeql[js/kibana/unbounded-array-in-schema] saved object schema — not route input
   favoriteIds: schema.arrayOf(schema.string()),
 });
 

@@ -20,13 +20,14 @@ export const bulkGetSchemas = {
     {
       contentTypeId: schema.string(),
       version: versionSchema,
-      ids: schema.arrayOf(schema.string({ minLength: 1 }), { minSize: 1 }),
+      ids: schema.arrayOf(schema.string({ minLength: 1 }), { minSize: 1, maxSize: 100 }),
       options: schema.maybe(schema.object({}, { unknowns: 'allow' })),
     },
     { unknowns: 'forbid' }
   ),
   out: schema.object(
     {
+      // codeql[js/kibana/unbounded-array-in-schema] output schema — server controls the response size
       hits: schema.arrayOf(getResultSchema),
       meta: schema.maybe(schema.object({}, { unknowns: 'allow' })),
     },

@@ -22,6 +22,7 @@ export const mSearchSchemas = {
         schema.object({ contentTypeId: schema.string(), version: versionSchema }),
         {
           minSize: 1,
+          maxSize: 100,
         }
       ),
       query: searchQuerySchema,
@@ -30,6 +31,7 @@ export const mSearchSchemas = {
   ),
   out: schema.object(
     {
+      // codeql[js/kibana/unbounded-array-in-schema] output schema — server controls the response size
       contentTypes: schema.arrayOf(
         schema.object({ contentTypeId: schema.string(), version: versionSchema })
       ),

@@ -19,8 +19,8 @@ export const searchQuerySchema = schema.oneOf([
       text: schema.maybe(schema.string()),
       tags: schema.maybe(
         schema.object({
-          included: schema.maybe(schema.arrayOf(schema.string())),
-          excluded: schema.maybe(schema.arrayOf(schema.string())),
+          included: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })),
+          excluded: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })),
         })
       ),
       limit: schema.maybe(schema.number()),
@@ -33,6 +33,7 @@ export const searchQuerySchema = schema.oneOf([
 ]);
 
 export const searchResultSchema = schema.object({
+  // codeql[js/kibana/unbounded-array-in-schema] output schema — server controls the response size
   hits: schema.arrayOf(schema.any()),
   pagination: schema.object({
     total: schema.number(),

@@ -21,8 +21,14 @@ const method = 'post' as const;
 const string64 = schema.string({ minLength: 1, maxLength: 64 });
 const string256 = schema.string({ minLength: 1, maxLength: 256 });
 
-export const stringOrArrayOfStrings = schema.oneOf([string64, schema.arrayOf(string64)]);
-export const nameStringOrArrayOfNameStrings = schema.oneOf([string256, schema.arrayOf(string256)]);
+export const stringOrArrayOfStrings = schema.oneOf([
+  string64,
+  schema.arrayOf(string64, { maxSize: 100 }),
+]);
+export const nameStringOrArrayOfNameStrings = schema.oneOf([
+  string256,
+  schema.arrayOf(string256, { maxSize: 100 }),
+]);
 
 export function toArrayOrUndefined(val?: string | string[]): undefined | string[] {
   if (val == null) return undefined;

@@ -28,6 +28,7 @@ const dataIndexSchema = schema.object({
   fields: schema.recordOf(schema.string(), schema.any()),
 
   // times fields that will be updated relative to now when data is installed
+  // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input
   timeFields: schema.arrayOf(schema.string()),
 
   // should index be created as data stream
@@ -79,18 +80,21 @@ export const sampleDataSchema = schema.object({
 
   // Kibana saved objects (index patter, visualizations, dashboard, ...)
   // Should provide a nice demo of Kibana's functionality with the sample data set
+  // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input
   savedObjects: schema.arrayOf(
     schema.object(
       {
         id: schema.string(),
         type: schema.string(),
         attributes: schema.any(),
+        // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input
         references: schema.arrayOf(schema.any()),
         version: schema.maybe(schema.any()),
       },
       { unknowns: 'allow' }
     )
   ),
+  // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input
   dataIndices: schema.arrayOf(dataIndexSchema),
 
   status: schema.maybe(schema.string()),

@@ -32,6 +32,7 @@ const artifactsSchema = schema.object({
     })
   ),
   // Kibana dashboards created by this product.
+  // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input
   dashboards: schema.arrayOf(dashboardSchema),
   application: schema.maybe(
     schema.object({
@@ -49,6 +50,7 @@ const statusCheckSchema = schema.object({
   success: schema.maybe(schema.string()),
   error: schema.maybe(schema.string()),
   esHitsCheck: schema.object({
+    // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input
     index: schema.oneOf([schema.string(), schema.arrayOf(schema.string())]),
     query: schema.recordOf(schema.string(), schema.any()),
   }),
@@ -58,6 +60,7 @@ export type StatusCheckSchema = TypeOf<typeof statusCheckSchema>;
 const instructionSchema = schema.object({
   title: schema.maybe(schema.string()),
   textPre: schema.maybe(schema.string()),
+  // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input
   commands: schema.maybe(schema.arrayOf(schema.string())),
   textPost: schema.maybe(schema.string()),
   customComponentName: schema.maybe(schema.string()),
@@ -66,6 +69,7 @@ export type Instruction = TypeOf<typeof instructionSchema>;
 
 const instructionVariantSchema = schema.object({
   id: schema.string(),
+  // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input
   instructions: schema.arrayOf(instructionSchema),
   initialSelected: schema.maybe(schema.boolean()),
 });
@@ -82,12 +86,14 @@ const instructionSetSchema = schema.object({
     })
   ),
   // Variants (OSes, languages, etc.) for which tutorial instructions are specified.
+  // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input
   instructionVariants: schema.arrayOf(instructionVariantSchema),
   statusCheck: schema.maybe(statusCheckSchema),
 });
 export type InstructionSetSchema = TypeOf<typeof instructionSetSchema>;
 
 const instructionsSchema = schema.object({
+  // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input
   instructionSets: schema.arrayOf(instructionSetSchema),
 });
 export type InstructionsSchema = TypeOf<typeof instructionsSchema>;
@@ -144,6 +150,7 @@ export const tutorialSchema = schema.object({
   customStatusCheckName: schema.maybe(schema.string()),
 
   // Category assignment for the integration browser
+  // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input
   integrationBrowserCategories: schema.maybe(schema.arrayOf(schema.string())),
 
   // Name of an equivalent package in EPR. e.g. this needs to be explicitly defined if it cannot be derived from a heuristic.

@@ -24,8 +24,8 @@ export const registerInternalFindRoute = (router: GlobalSearchRouter) => {
         body: schema.object({
           params: schema.object({
             term: schema.maybe(schema.string()),
-            types: schema.maybe(schema.arrayOf(schema.string())),
-            tags: schema.maybe(schema.arrayOf(schema.string())),
+            types: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })),
+            tags: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })),
           }),
           options: schema.maybe(
             schema.object({

@@ -24,7 +24,9 @@ export const registerFindAssignableObjectsRoute = (router: TagsPluginRouter) =>
         query: schema.object({
           search: schema.maybe(schema.string()),
           max_results: schema.number({ min: 0, defaultValue: 1000 }),
-          types: schema.maybe(schema.oneOf([schema.string(), schema.arrayOf(schema.string())])),
+          types: schema.maybe(
+            schema.oneOf([schema.string(), schema.arrayOf(schema.string(), { maxSize: 100 })])
+          ),
         }),
       },
     },

@@ -28,9 +28,9 @@ export const registerUpdateTagsAssignmentsRoute = (router: TagsPluginRouter) =>
       validate: {
         body: schema.object(
           {
-            tags: schema.arrayOf(schema.string(), { minSize: 1 }),
-            assign: schema.arrayOf(objectReferenceSchema, { defaultValue: [] }),
-            unassign: schema.arrayOf(objectReferenceSchema, { defaultValue: [] }),
+            tags: schema.arrayOf(schema.string(), { minSize: 1, maxSize: 100 }),
+            assign: schema.arrayOf(objectReferenceSchema, { defaultValue: [], maxSize: 1000 }),
+            unassign: schema.arrayOf(objectReferenceSchema, { defaultValue: [], maxSize: 1000 }),
           },
           {
             validate: ({ assign, unassign }) => {

@@ -21,7 +21,7 @@ export const registerInternalBulkDeleteRoute = (router: TagsPluginRouter) => {
       },
       validate: {
         body: schema.object({
-          ids: schema.arrayOf(schema.string()),
+          ids: schema.arrayOf(schema.string(), { maxSize: 100 }),
         }),
       },
     },