Skip to content

fix: bound scrape query parameter parsing (#2285)#2290

Open
arnabnandy7 wants to merge 2 commits into
prometheus:mainfrom
arnabnandy7:security/config-leak-fix
Open

fix: bound scrape query parameter parsing (#2285)#2290
arnabnandy7 wants to merge 2 commits into
prometheus:mainfrom
arnabnandy7:security/config-leak-fix

Conversation

@arnabnandy7

Copy link
Copy Markdown
Contributor

Summary

Fixes #2285.

  • Add bounds to default scrape query parsing:
    • max query string length: 64 KiB
    • max query parameter count: 1024
  • Avoid unbounded queryString.split("&") allocation by scanning the query string incrementally.
  • Return HTTP 400 for invalid/excessive query parameters instead of surfacing an internal error.
  • Deduplicate metric name filter collections with LinkedHashSet.
  • Add exact-match fast paths in MetricNameFilter while preserving existing suffix-tolerant matching behavior.
  • Add regression tests for excessive query length and parameter count.

Testing

  • mise run lint:fix
  • ./mvnw.cmd test -pl prometheus-metrics-exporter-common -Dtest=PrometheusScrapeHandlerTest '-Dcoverage.skip=true' '-Dcheckstyle.skip=true'
  • ./mvnw.cmd test -pl prometheus-metrics-model -Dtest=MetricNameFilterTest '-Dcoverage.skip=true' '-Dcheckstyle.skip=true'
  • ./mvnw.cmd install -DskipTests '-Dcoverage.skip=true' -rf :prometheus-metrics-model

Note: mise run build fails on Windows because the task invokes ./mvnw; the equivalent mvnw.cmd command was run instead.

Signed-off-by: Arnab Nandy <arnab_nandy7@yahoo.com>
Signed-off-by: Arnab Nandy <arnab_nandy7@yahoo.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

# Security Report: Denial of Service via Unbounded name[] Query Parameter Flooding in prometheus/client_java

2 participants