MAX_LIMIT can be bypassed with params.limit = NaN

[SeanLMcCullough]

Tested using the Mongoose Plugin.

The test: if (params.limit > config.MAX_LIMIT) params.limit = config.MAX_LIMIT; can be bypassed if a programming error or edge case exists resulting in params.limit = NaN.

An example is when parsing a query param using params.limit = parseInt(ctx.query.limit, 10).

In this case, params.limit will remain as NaN because NaN > 300 === false.

MongoDB will treat that as an infinite limit and fetch all documents, bypassing the limit value.