null
/
Mission-Control
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: add range validation to /trends endpoint (1-365 day limit) 

Security fix from Private_Hudson audit. Prevents arbitrary range queries
that could cause expensive DB operations. Invalid ranges now return 400
with clear error message instead of being silently accepted.
This commit is contained in:
Ripley 2026-05-10 22:43:16 -05:00
parent e348deb299
commit d747c1ddb0
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/backend/app/api/monitoring.py
View File

@ -841,12 +841,17 @@ async def get_trends(
from datetime import date, timedelta from datetime import date, timedelta
from app.services.monitoring.data_processing import ModelName from app.services.monitoring.data_processing import ModelName
# Parse range # Parse range with safe upper limit
range_days = 7 range_days = 7
if range_param == "30d": if range_param == "30d":
range_days = 30 range_days = 30
elif re.match(r"^(\d+)d$", range_param): elif re.match(r"^(\d+)d$", range_param):
range_days = int(range_param[:-1]) days = int(range_param[:-1])
if days < 1 or days > 365: # Safe limit: 1-365 days
raise HTTPException(status_code=400, detail="Invalid range. Must be between 1d and 365d")
range_days = days
else:
raise HTTPException(status_code=400, detail="Invalid range. Must be '7d', '30d', or 'Nd' where N is 1-365")
# Get all cost snapshots # Get all cost snapshots
statement = select(CostSnapshot).where( statement = select(CostSnapshot).where(