From d747c1ddb05dcfbf3e11e5a1c21664c418db350d Mon Sep 17 00:00:00 2001
From: Ripley <ripley@openclaw.ai>
Date: Sun, 10 May 2026 22:43:16 -0500
Subject: [PATCH] fix: add range validation to /trends endpoint (1-365 day
 limit)

Security fix from Private_Hudson audit. Prevents arbitrary range queries
that could cause expensive DB operations. Invalid ranges now return 400
with clear error message instead of being silently accepted.
---
 src/backend/app/api/monitoring.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/backend/app/api/monitoring.py b/src/backend/app/api/monitoring.py
index 3cf48a7..2f51a26 100644
--- a/src/backend/app/api/monitoring.py
+++ b/src/backend/app/api/monitoring.py
@@ -841,12 +841,17 @@ async def get_trends(
     from datetime import date, timedelta
     from app.services.monitoring.data_processing import ModelName
 
-    # Parse range
+    # Parse range with safe upper limit
     range_days = 7
     if range_param == "30d":
         range_days = 30
     elif re.match(r"^(\d+)d$", range_param):
-        range_days = int(range_param[:-1])
+        days = int(range_param[:-1])
+        if days < 1 or days > 365:  # Safe limit: 1-365 days
+            raise HTTPException(status_code=400, detail="Invalid range. Must be between 1d and 365d")
+        range_days = days
+    else:
+        raise HTTPException(status_code=400, detail="Invalid range. Must be '7d', '30d', or 'Nd' where N is 1-365")
 
     # Get all cost snapshots
     statement = select(CostSnapshot).where(