chore: Limit max response body length and validate it

2026-01-12 19:02:08 +03:00 · 2026-01-12 19:02:08 +03:00 · e91ea2b88d
commit e91ea2b88d
parent d36dfebbd9
2 changed files with 27 additions and 4 deletions
--- a/server/model/monitor.js
+++ b/server/model/monitor.js
@ -24,6 +24,8 @@ const {
    PING_PER_REQUEST_TIMEOUT_MIN,
    PING_PER_REQUEST_TIMEOUT_MAX,
    PING_PER_REQUEST_TIMEOUT_DEFAULT,
+    RESPONSE_BODY_LENGTH_DEFAULT,
+    RESPONSE_BODY_LENGTH_MAX,
 } = require("../../src/util");
 const {
    ping,
@ -61,8 +63,6 @@ const DomainExpiry = require("./domain_expiry");

 const rootCertificates = rootCertificatesFingerprints();

-const DEFAULT_MAX_RESPONSE_LENGTH = 10240;
-
 /**
 * status:
 *      0 = DOWN
@ -209,7 +209,7 @@ class Monitor extends BeanModel {
            // response saving options
            saveResponse: this.getSaveResponse(),
            saveErrorResponse: this.getSaveErrorResponse(),
-            responseMaxLength: this.response_max_length ?? DEFAULT_MAX_RESPONSE_LENGTH,
+            responseMaxLength: this.response_max_length ?? RESPONSE_BODY_LENGTH_DEFAULT,
        };

        if (includeSensitiveData) {
@ -1145,7 +1145,7 @@ class Monitor extends BeanModel {
            }
        }

-        const maxSize = this.response_max_length !== undefined ? this.response_max_length : DEFAULT_MAX_RESPONSE_LENGTH;
+        const maxSize = this.response_max_length !== undefined ? this.response_max_length : RESPONSE_BODY_LENGTH_DEFAULT;
        if (maxSize > 0 && responseData.length > maxSize) {
            responseData = responseData.substring(0, maxSize) + "... (truncated)";
        }
@ -1681,6 +1681,16 @@ class Monitor extends BeanModel {
            throw new Error(`Retry interval cannot be less than ${MIN_INTERVAL_SECOND} seconds`);
        }

+        if (this.response_max_length !== undefined) {
+            if (this.response_max_length < 0) {
+                throw new Error(`Response max length cannot be less than 0`);
+            }
+
+            if (this.response_max_length > RESPONSE_BODY_LENGTH_MAX) {
+                throw new Error(`Response max length cannot be more than ${RESPONSE_BODY_LENGTH_MAX} bytes`);
+            }
+        }
+
        if (this.type === "ping") {
            // ping parameters validation
            if (this.packetSize && (this.packetSize < PING_PACKET_SIZE_MIN || this.packetSize > PING_PACKET_SIZE_MAX)) {
--- a/src/util.ts
+++ b/src/util.ts
@ -66,6 +66,19 @@ export const PING_PER_REQUEST_TIMEOUT_MIN = 1;
 export const PING_PER_REQUEST_TIMEOUT_MAX = 60;
 export const PING_PER_REQUEST_TIMEOUT_DEFAULT = 2;

+/**
+ * Response body length cutoff used by default (10kb)
+ * (measured in bytes)
+ * @type {number}
+ */
+export const RESPONSE_BODY_LENGTH_DEFAULT = 1024 * 10;
+/**
+ * Maximum allowed response body length to store (1mb)
+ * (measured in bytes)
+ * @type {number}
+ */
+export const RESPONSE_BODY_LENGTH_MAX = 1024 * 1024;
+
 // Console colors
 // https://stackoverflow.com/questions/9781218/how-to-change-node-jss-console-font-color
 export const CONSOLE_STYLE_Reset = "\x1b[0m";