Minimum check interval is only enforced on the frontend

[lrstanley]

Describe the bug

A user can submit an http request with an extremely low check interval (say... 0.01s), as the limit is only enforced on the frontend side of the service. This can lead to a potential denial-of-service attack by overloading the service, and potentially causing service disruption to the target monitored website.

To Reproduce

Steps to reproduce the behavior: Either submit an http request with the lower value, or use Chrome debugging tools to remove the min="<int>" and type="number" attributes, which will allow you to still lower the value via the UI.

Was able to replicate this on: demo.uptime.kuma.pet.

Expected behavior

The frontend and backend should both enforce this behavior, to prevent unwanted or malicious behavior.

[louislam]

Thank you for your report.

Yes, the input validations are frontend only currently. In the current stage, it should not be a big problem, as there is only one user account only. And that's one of reasons why multiple users features (#128) is not implemented yet.

However, it did hurt the demo site though, I just fixed it quickly: 5c89562

Would be appreciated if you could send the security issue to the email first.
https://github.com/louislam/uptime-kuma/security/policy

[CommanderStorm]

@lrstanley I think this issue is resolved:

Which is checked on the server here:

uptime-kuma/server/model/monitor.js

Lines 1455 to 1463 in 6413d4c

	/** Make sure monitor interval is between bounds */
	validate() {
	if (this.interval > MAX_INTERVAL_SECOND) {
	throw new Error(`Interval cannot be more than ${MAX_INTERVAL_SECOND} seconds`);
	}
	if (this.interval < MIN_INTERVAL_SECOND) {
	throw new Error(`Interval cannot be less than ${MIN_INTERVAL_SECOND} seconds`);
	}
	}

=> Could you close this issue?