Bug: maxsize validation missing upper bound allows DoS

[tanbro]

Severity

Medium

Location

File: src/redis_func_cache/cache.py
Lines: 359-363

Description

The maxsize setter only validates lower bound:

@maxsize.setter
def maxsize(self, value: int):
    if not value > 0:
        raise ValueError("maxsize must be a greater than 0")

This allows extremely large values (e.g., maxsize=10**18) which could cause Lua script eviction loops to run for excessive time.

Impact

Potential DoS through computational resource exhaustion:

• Lua scripts may timeout during eviction
• Redis blocked during long-running eviction operations
• Memory exhaustion if Redis attempts to allocate huge structures

Reproduction Steps

cache = RedisFuncCache("dos", LruTPolicy(), maxsize=10**18, ...)
@cache
def func(x):
    return x

# Fill cache to trigger eviction with maxsize=10**18
for i in range(10**6):
    func(i)  # Each eviction will scan enormous sorted set

Proposed Solution

Add upper bound validation:

@maxsize.setter
def maxsize(self, value: int):
    if not value > 0:
        raise ValueError("maxsize must be greater than 0")
    if value > 10**7:  # 10 million is a reasonable upper bound
        raise ValueError("maxsize too large (max 10,000,000)")
    self._maxsize = value

Additional Context

• 10 million items is already very large for most use cases
• Redis sorted sets have O(log N) operations, but eviction requires finding min/max
• Consider adding warnings for large values rather than hard errors
• Could add configuration option to customize max limit