mirror of
https://github.com/prometheus/prometheus.git
synced 2026-05-13 00:28:42 +02:00
Merge branch 'release-3.11' into merge-3.11
This commit is contained in:
Julien Pivotto
commit
5e4c110c65
13
CHANGELOG.md
13
CHANGELOG.md
@ -1,5 +1,18 @@
|
||||
# Changelog
|
||||
|
||||
## 3.11.3 / 2026-04-27
|
||||
|
||||
This release fixes mutiple security issues.
|
||||
|
||||
We would like to thank the following people for the responsible disclosures:
|
||||
- Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.
|
||||
- Brett Gervasoni for the AzureAD OAuth `client_secret` vulnerability.
|
||||
- @iiihaiii and @Ngocnn97 for the Old UI XSS vulnerability.
|
||||
|
||||
- [SECURITY] AzureAD remote write: Fix OAuth `client_secret` being exposed in plaintext via `/-/config` endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18590
|
||||
- [SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18584
|
||||
- [SECURITY] UI: Fix stored XSS via unescaped `le` label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18588
|
||||
|
||||
## 3.11.2 / 2026-04-13
|
||||
|
||||
This release has a fix for a Stored XSS vulnerability that can be triggered via crafted metric names and label values in Prometheus web UI tooltips and metrics explorer. Thanks to Duc Anh Nguyen from TinyxLab for reporting it.
|
||||
|
||||
@ -67,6 +67,14 @@ func DecodeReadRequest(r *http.Request) (*prompb.ReadRequest, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
decodedLen, err := snappy.DecodedLen(compressed)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if decodedLen > decodeReadLimit {
|
||||
return nil, fmt.Errorf("snappy: decoded length %d exceeds limit %d", decodedLen, decodeReadLimit)
|
||||
}
|
||||
|
||||
reqBuf, err := snappy.Decode(nil, compressed)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
||||
@ -765,6 +765,17 @@ func TestDecodeOTLPWriteRequestGzipSizeLimit(t *testing.T) {
|
||||
require.Error(t, err)
|
||||
}
|
||||
|
||||
func TestDecodeReadRequestTooLarge(t *testing.T) {
|
||||
// 5-byte snappy stream whose header claims 256 MiB decoded length,
|
||||
// well above decodeReadLimit (32 MiB).
|
||||
bomb := []byte{0x80, 0x80, 0x80, 0x80, 0x01}
|
||||
req, err := http.NewRequest(http.MethodPost, "/", bytes.NewReader(bomb))
|
||||
require.NoError(t, err)
|
||||
|
||||
_, err = DecodeReadRequest(req)
|
||||
require.ErrorContains(t, err, "exceeds limit")
|
||||
}
|
||||
|
||||
func TestDecodeWriteRequest(t *testing.T) {
|
||||
buf, _, _, err := buildWriteRequest(nil, writeRequestFixture.Timeseries, nil, nil, nil, nil, "snappy")
|
||||
require.NoError(t, err)
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "@prometheus-io/mantine-ui",
|
||||
"private": true,
|
||||
"version": "0.311.2",
|
||||
"version": "0.311.3",
|
||||
"type": "module",
|
||||
"scripts": {
|
||||
"start": "vite",
|
||||
@ -28,7 +28,7 @@
|
||||
"@microsoft/fetch-event-source": "^2.0.1",
|
||||
"@nexucis/fuzzy": "^0.5.1",
|
||||
"@nexucis/kvsearch": "^0.9.1",
|
||||
"@prometheus-io/codemirror-promql": "0.311.2",
|
||||
"@prometheus-io/codemirror-promql": "0.311.3",
|
||||
"@reduxjs/toolkit": "^2.11.2",
|
||||
"@tabler/icons-react": "^3.40.0",
|
||||
"@tanstack/react-query": "^5.95.2",
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@prometheus-io/codemirror-promql",
|
||||
"version": "0.311.2",
|
||||
"version": "0.311.3",
|
||||
"description": "a CodeMirror mode for the PromQL language",
|
||||
"types": "dist/esm/index.d.ts",
|
||||
"module": "dist/esm/index.js",
|
||||
@ -29,7 +29,7 @@
|
||||
},
|
||||
"homepage": "https://github.com/prometheus/prometheus/blob/main/web/ui/module/codemirror-promql/README.md",
|
||||
"dependencies": {
|
||||
"@prometheus-io/lezer-promql": "0.311.2",
|
||||
"@prometheus-io/lezer-promql": "0.311.3",
|
||||
"lru-cache": "^11.2.7"
|
||||
},
|
||||
"devDependencies": {
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@prometheus-io/lezer-promql",
|
||||
"version": "0.311.2",
|
||||
"version": "0.311.3",
|
||||
"description": "lezer-based PromQL grammar",
|
||||
"main": "dist/index.cjs",
|
||||
"type": "module",
|
||||
|
||||
14
web/ui/package-lock.json
generated
14
web/ui/package-lock.json
generated
@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "prometheus-io",
|
||||
"version": "0.311.2",
|
||||
"version": "0.311.3",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "prometheus-io",
|
||||
"version": "0.311.2",
|
||||
"version": "0.311.3",
|
||||
"workspaces": [
|
||||
"mantine-ui",
|
||||
"module/*"
|
||||
@ -24,7 +24,7 @@
|
||||
},
|
||||
"mantine-ui": {
|
||||
"name": "@prometheus-io/mantine-ui",
|
||||
"version": "0.311.2",
|
||||
"version": "0.311.3",
|
||||
"dependencies": {
|
||||
"@codemirror/autocomplete": "^6.20.1",
|
||||
"@codemirror/language": "^6.12.3",
|
||||
@ -42,7 +42,7 @@
|
||||
"@microsoft/fetch-event-source": "^2.0.1",
|
||||
"@nexucis/fuzzy": "^0.5.1",
|
||||
"@nexucis/kvsearch": "^0.9.1",
|
||||
"@prometheus-io/codemirror-promql": "0.311.2",
|
||||
"@prometheus-io/codemirror-promql": "0.311.3",
|
||||
"@reduxjs/toolkit": "^2.11.2",
|
||||
"@tabler/icons-react": "^3.40.0",
|
||||
"@tanstack/react-query": "^5.95.2",
|
||||
@ -88,10 +88,10 @@
|
||||
},
|
||||
"module/codemirror-promql": {
|
||||
"name": "@prometheus-io/codemirror-promql",
|
||||
"version": "0.311.2",
|
||||
"version": "0.311.3",
|
||||
"license": "Apache-2.0",
|
||||
"dependencies": {
|
||||
"@prometheus-io/lezer-promql": "0.311.2",
|
||||
"@prometheus-io/lezer-promql": "0.311.3",
|
||||
"lru-cache": "^11.2.7"
|
||||
},
|
||||
"devDependencies": {
|
||||
@ -121,7 +121,7 @@
|
||||
},
|
||||
"module/lezer-promql": {
|
||||
"name": "@prometheus-io/lezer-promql",
|
||||
"version": "0.311.2",
|
||||
"version": "0.311.3",
|
||||
"license": "Apache-2.0",
|
||||
"devDependencies": {
|
||||
"@lezer/generator": "^1.8.0",
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "prometheus-io",
|
||||
"description": "Monorepo for the Prometheus UI",
|
||||
"version": "0.311.2",
|
||||
"version": "0.311.3",
|
||||
"private": true,
|
||||
"scripts": {
|
||||
"build": "bash build_ui.sh --all",
|
||||
|
||||
@ -10,6 +10,7 @@ import { Button } from 'reactstrap';
|
||||
import { FontAwesomeIcon } from '@fortawesome/react-fontawesome';
|
||||
import { faTimes } from '@fortawesome/free-solid-svg-icons';
|
||||
import { GraphDisplayMode } from './Panel';
|
||||
import { escapeHTML } from '../../utils';
|
||||
|
||||
require('../../vendor/flot/jquery.flot');
|
||||
require('../../vendor/flot/jquery.flot.stack');
|
||||
@ -151,7 +152,7 @@ class Graph extends PureComponent<GraphProps, GraphState> {
|
||||
|
||||
if (options.yaxis && isHeatmap) {
|
||||
options.yaxis.ticks = () => new Array(data.length + 1).fill(0).map((_el, i) => i);
|
||||
options.yaxis.tickFormatter = (val) => `${val ? data[val - 1].labels.le : ''}`;
|
||||
options.yaxis.tickFormatter = (val) => `${val ? escapeHTML(data[val - 1].labels.le) : ''}`;
|
||||
options.yaxis.min = 0;
|
||||
options.yaxis.max = data.length;
|
||||
options.series.lines = { show: false };
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user