Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.
Sign upRemote read endpoint should limit the size of the HTTP Post data it reads #4238
Comments
This comment has been minimized.
This comment has been minimized.
|
Thanks for reporting. If it's causing the server to segfault or get overloaded you can share it here, if it's something more severe or you'd prefer not to you can email it to me at the address on my github profile. |
This comment has been minimized.
This comment has been minimized.
|
Okay, so it's "just" an overload/OoM issue: One option to fix this would be to limit the size of the request body (and make the limit configurable if needed) such that a remote "client" cannot sent arbitrary amounts of data to the server RAM. |
This comment has been minimized.
This comment has been minimized.
|
A (very simple) proof-of-concept:
|
This comment has been minimized.
This comment has been minimized.
|
This looks to be possible or equivalent in a few places, Go for example will use 32MB for POST data and then start spilling to disk. For this particular one a hardcoded limit should be fine. |
brian-brazil
added
help wanted
low hanging fruit
kind/bug
component/ui
labels
Jun 7, 2018
brian-brazil
changed the title
Server is vulnerable to DoS attack
Remote read endpoint should limit the size of the HTTP Post data it reads
Jun 7, 2018
aead
referenced this issue
Jun 7, 2018
Merged
limit size of POST requests against remote read endpoint #4239
brian-brazil
closed this
in
#4239
Jun 8, 2018
brian-brazil
added a commit
that referenced
this issue
Jun 8, 2018
mknapphrt
added a commit
to mknapphrt/prometheus
that referenced
this issue
Jul 26, 2018
gouthamve
added a commit
to gouthamve/prometheus
that referenced
this issue
Aug 1, 2018
jacksontj
added a commit
to jacksontj/prometheus
that referenced
this issue
Aug 14, 2018
This comment has been minimized.
This comment has been minimized.
lock
bot
commented
Mar 22, 2019
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
aead commentedJun 7, 2018
Bug Report
What did you do?
I'm able to kill a prometheus server. I've read the Prometheus security model and I can violate:
So I reached out on twitter to ask how to report a security issue for Prometheus but got no response.
I did not disclose details since I don't know how the disclosure policy looks like - I can disclose the vulnerability in this issue if you want to.
What did you expect to see?
I should not be able to kill a prometheus server the way I can at the moment.
What did you see instead? Under which circumstances?
I can kill (arbitrary) prometheus servers (AFAICT).
prometheus version 2.2.1(locally verified)Older versions are affected too and I think the latest version 2.3.0 as well (but I haven't verified this)