Define what a metric can be. #417
Comments
|
In addition, there probably should be an explanation of how a metric path is normalized:
|
for leading . it seems to work fine, for trailing, i noticed carbon/whisper creates an extra directory with a file named |
|
additionally, Any filesystem has a constraint on the length of the filename length. |
|
The final code for generating the file path for a metric is in database.py: def getFilesystemPath(self, metric):
metric_path = metric.replace('.', sep).lstrip(sep) + '.wsp'
return join(self.data_dir, metric_path)We can test it like this: >>> '.a.b'.replace('.', os.path.sep).lstrip(os.path.sep) + '.wsp'
'a/b.wsp'
>>> '.a.b.'.replace('.', os.path.sep).lstrip(os.path.sep) + '.wsp'
'a/b/.wsp'As shown in the above, metric like '.a.b' will be alright, however, metric like '.a.b.' will result in a path name like Maybe we can change it with: def getFilesystemPath(self, metric):
# change 'a/b/.wsp' to 'a/b.wsp'
metric_path = metric.replace('.', sep).lstrip(sep).rstrip(sep) + '.wsp'
return join(self.data_dir, metric_path) |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Right now, graphite and carbon both share the concept of a metric, but they don't have any kind of validation.
I haven't tested it, but given the way the
getFilesystemPath()works, I would assume you could craft a metric that would cause problems on the carbon server. Especially on windows.I think it'd be beneficial if a metric was fully defined. Something like:
../[A-Za-z0-9_-]+/This should prevent most/all exploits involving
getFilesystemPath()in carbon.It would also fix potential problems in graphite-web() mechanisms as well.
The text was updated successfully, but these errors were encountered: