Andrey/uptime-kuma
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add input validation for ping values in /api/push endpoint

Browse Source 
Co-authored-by: CommanderStorm <26258709+CommanderStorm@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2026-01-11 06:57:25 +00:00
parent 0192995a05
commit 10363388c0
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
server/routers/api-router.js
View File

@ -52,6 +52,13 @@ router.all("/api/push/:pushToken", async (request, response) => {
let statusString = request.query.status || "up";
const statusFromParam = statusString === "up" ? UP : DOWN;
// Validate ping value - max 1 billion ms (~11.5 days)
// Fits safely in both BIGINT and FLOAT(20,2)
const MAX_PING_MS = 1000000000;
if (ping !== null && (ping < 0 || ping > MAX_PING_MS)) {
throw new Error(`Invalid ping value. Must be between 0 and ${MAX_PING_MS} ms.`);
}
let monitor = await R.findOne("monitor", " push_token = ? AND active = 1 ", [pushToken]);
if (!monitor) {