Metric names, label names, and label values containing HTML/JavaScript were
inserted into `innerHTML` without escaping in several UI code paths, enabling
stored XSS attacks via crafted metrics. This mostly becomes exploitable in
Prometheus 3.x, since it defaults to allowing any UTF-8 characters in metric
and label names.
Apply `escapeHTML()` to all user-controlled values before innerHTML
insertion in:
* Mantine UI chart tooltip
* Old React UI chart tooltip
* Old React UI metrics explorer fuzzy search
* Old React UI heatmap tooltip
See https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99
Signed-off-by: Julius Volz <julius.volz@gmail.com>
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
This RC reverts the feature "OTLP: Support promoting OTel scope attributes".
Add the line back into the CHANGELOG for 3.5.0-rc.0, since we are not changing that version.
Signed-off-by: Bryan Boreham <bjboreham@gmail.com>
This commit adds the ts_of_(max,min,last)_over_time functions behind the experimental feature flag.
Signed-off-by: Michael Hoffmann <mhoffmann@cloudflare.com>
Addresses part of https://github.com/prometheus/prometheus/issues/16515
For now, I'm adding very similar filtering to the /rules page as we have on
the /alerts page, with the difference being:
* The state filter filters by rule health (ok/warn/unknown) instead of
alert state (firing/pending/inactive)
* We don't collect & show detailed stats on the different state counts as
we do on the /alerts page
There is a lot of copied / very similar code between those two pages (and
also some others) around filtering and pagination, so maybe there is an
opportunity for more code sharing in the future here.
Signed-off-by: Julius Volz <julius.volz@gmail.com>
When opening the status pages menu while already viewing one of the
status pages, the whole page would be re-rendered because the menu target's
default action of following the current page's URL was not prevented. Also,
we don't need to use a NavLink component for the menu target when we are
not viewing a status page, because then the component won't need to be
highlighted anyways.
Discovered + fixed with the help of react-scan.
Signed-off-by: Julius Volz <julius.volz@gmail.com>
Moving the debouncing of the search field to the parent component and then
memoizing the ScrapePoolsList component prevents a lot of superfluous
re-renders of the entire scrape pools list that previously got triggered
immediately when you typed in the search box or even just collapsed a pool.
(While the computation of what data to show was already memoized in the
ScrapePoolList component, the component itself still had to re-render a lot
with the same data.)
Discovered this problem + verified fix using react-scan.
Signed-off-by: Julius Volz <julius.volz@gmail.com>
Updated/fixed/changed a lot of content, changed wordings and style, etc.
Things should now be in an order that most users / developers expect, with the
most relevant sections (how to build + run) at the top.
Signed-off-by: Julius Volz <julius.volz@gmail.com>
In stacked / flex layouts like on the service discovery page, elements get a
100% width unless you tell them to only be as wide as their contents.
Signed-off-by: Julius Volz <julius.volz@gmail.com>
Technically, we are not filtering by the state of a single rule, but by the
whole rule group state (if even a single alert is firing within a group,
filtering for "Pending" won't show the group, even if it has pending
alerts).
Signed-off-by: Julius Volz <julius.volz@gmail.com>
