From e91ea2b88dfa6c704948b3aff7851739f106d89d Mon Sep 17 00:00:00 2001
From: codercms <coder1994@gmail.com>
Date: Mon, 12 Jan 2026 19:02:08 +0300
Subject: [PATCH] chore: Limit max response body length and validate it

---
 server/model/monitor.js | 18 ++++++++++++++----
 src/util.ts             | 13 +++++++++++++
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/server/model/monitor.js b/server/model/monitor.js
index 5404a47b5..900ded966 100644
--- a/server/model/monitor.js
+++ b/server/model/monitor.js
@@ -24,6 +24,8 @@ const {
     PING_PER_REQUEST_TIMEOUT_MIN,
     PING_PER_REQUEST_TIMEOUT_MAX,
     PING_PER_REQUEST_TIMEOUT_DEFAULT,
+    RESPONSE_BODY_LENGTH_DEFAULT,
+    RESPONSE_BODY_LENGTH_MAX,
 } = require("../../src/util");
 const {
     ping,
@@ -61,8 +63,6 @@ const DomainExpiry = require("./domain_expiry");
 
 const rootCertificates = rootCertificatesFingerprints();
 
-const DEFAULT_MAX_RESPONSE_LENGTH = 10240;
-
 /**
  * status:
  *      0 = DOWN
@@ -209,7 +209,7 @@ class Monitor extends BeanModel {
             // response saving options
             saveResponse: this.getSaveResponse(),
             saveErrorResponse: this.getSaveErrorResponse(),
-            responseMaxLength: this.response_max_length ?? DEFAULT_MAX_RESPONSE_LENGTH,
+            responseMaxLength: this.response_max_length ?? RESPONSE_BODY_LENGTH_DEFAULT,
         };
 
         if (includeSensitiveData) {
@@ -1145,7 +1145,7 @@ class Monitor extends BeanModel {
             }
         }
 
-        const maxSize = this.response_max_length !== undefined ? this.response_max_length : DEFAULT_MAX_RESPONSE_LENGTH;
+        const maxSize = this.response_max_length !== undefined ? this.response_max_length : RESPONSE_BODY_LENGTH_DEFAULT;
         if (maxSize > 0 && responseData.length > maxSize) {
             responseData = responseData.substring(0, maxSize) + "... (truncated)";
         }
@@ -1681,6 +1681,16 @@ class Monitor extends BeanModel {
             throw new Error(`Retry interval cannot be less than ${MIN_INTERVAL_SECOND} seconds`);
         }
 
+        if (this.response_max_length !== undefined) {
+            if (this.response_max_length < 0) {
+                throw new Error(`Response max length cannot be less than 0`);
+            }
+
+            if (this.response_max_length > RESPONSE_BODY_LENGTH_MAX) {
+                throw new Error(`Response max length cannot be more than ${RESPONSE_BODY_LENGTH_MAX} bytes`);
+            }
+        }
+
         if (this.type === "ping") {
             // ping parameters validation
             if (this.packetSize && (this.packetSize < PING_PACKET_SIZE_MIN || this.packetSize > PING_PACKET_SIZE_MAX)) {
diff --git a/src/util.ts b/src/util.ts
index ef6fe7538..08c291f9e 100644
--- a/src/util.ts
+++ b/src/util.ts
@@ -66,6 +66,19 @@ export const PING_PER_REQUEST_TIMEOUT_MIN = 1;
 export const PING_PER_REQUEST_TIMEOUT_MAX = 60;
 export const PING_PER_REQUEST_TIMEOUT_DEFAULT = 2;
 
+/**
+ * Response body length cutoff used by default (10kb)
+ * (measured in bytes)
+ * @type {number}
+ */
+export const RESPONSE_BODY_LENGTH_DEFAULT = 1024 * 10;
+/**
+ * Maximum allowed response body length to store (1mb)
+ * (measured in bytes)
+ * @type {number}
+ */
+export const RESPONSE_BODY_LENGTH_MAX = 1024 * 1024;
+
 // Console colors
 // https://stackoverflow.com/questions/9781218/how-to-change-node-jss-console-font-color
 export const CONSOLE_STYLE_Reset = "\x1b[0m";