Metric names, label names, and label values containing HTML/JavaScript were
inserted into `innerHTML` without escaping in several UI code paths, enabling
stored XSS attacks via crafted metrics. This mostly becomes exploitable in
Prometheus 3.x, since it defaults to allowing any UTF-8 characters in metric
and label names.
Apply `escapeHTML()` to all user-controlled values before innerHTML
insertion in:
* Mantine UI chart tooltip
* Old React UI chart tooltip
* Old React UI metrics explorer fuzzy search
* Old React UI heatmap tooltip
See https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99
Signed-off-by: Julius Volz <julius.volz@gmail.com>
When health_filter is set without explicit services, the catalog needs
to be watched to enumerate services. Add watchedFilter to the condition
that triggers catalog watching.
Improve the filter test suite:
- Replace defer with t.Cleanup for stub servers.
- Rewrite TestFilterOption to assert that the catalog receives the filter
and the health endpoint does not.
- Rewrite TestHealthFilterOption to assert that health_filter is routed
correctly to the health endpoint only.
- Add TestBothFiltersOption to verify both filters are routed to their
respective endpoints when both are configured.
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
The filter field was documented as targeting the Catalog API but since
PR #17349 it was also passed to the Health API. This broke existing
configs using Catalog-only fields like ServiceTags, which the Health API
rejects (it uses Service.Tags instead).
Introduce a separate health_filter field that is passed exclusively to
the Health API, while filter remains catalog-only. Update the docs to
explain the two-phase discovery (Catalog for service listing, Health for
instances) and the field name differences between the two APIs.
Fixes#18479
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
Add test cases for two edge cases in the info() function:
- Enrichment when inner series are missing one identifying label
- Conflicting labels across different info metrics should error
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
QueryForStateSeries built Select matchers from the raw rule labels,
which can contain Go template expressions such as
`instance_{{ $labels.instance }}`. The stored ALERTS_FOR_STATE series
carry the per-instance evaluated values (e.g. `instance_0`), so the
unevaluated template string never matched, leaving seriesByLabels empty
and silently skipping restoration for every active alert.
Fix by omitting any label whose value contains `{{` from the matcher
list. Static labels (including `__name__` and `alertname`) are never
templated and continue to scope the query to the correct rule. The
in-memory lookup against evaluated alert labels that follows is
unaffected, so the single-query-per-rule optimisation introduced in
#13980 is fully preserved.
Fixes#16883
Ref #13980
Ref #18364
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
The retention.percentage config field was typed as uint, which silently
truncated fractional values. Setting percentage: 1.5 in prometheus.yml
resulted in a retention of 1%, with no warning or error.
Remove the redundant MaxPercentage > 100 clamp in main.go; the config
UnmarshalYAML already returns an error for out-of-range values before
this code is reached.
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
Migrate to new PromCI actions.
* Use direct repo actions instead of the setup / run pattern.
* Migrate check_proto action to inline.
Signed-off-by: SuperQ <superq@gmail.com>
* discovery/vultr: upgrade govultr from v2 to v3
The govultr/v2 library is no longer actively maintained. Upgrade to
govultr/v3 (v3.28.1) which receives regular updates and security
patches.
The v3 library is API-compatible with v2 for the Instance.List
method used by the Vultr SD, with the only change being an
additional *http.Response return value.
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
* discovery/vultr: check HTTP response status code
Validate that the Vultr API returns a 2xx status code after listing
instances, as the *http.Response from govultr v3 is now available.
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
* discovery/vultr: fix linter error in error string capitalization
Error strings should not be capitalized per Go conventions (ST1005).
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
---------
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
Adds `scripts/generate_release_notes.sh` to produce a structured CHANGELOG.md starting point using the Kubernetes release-notes tool. It handles both minor and patch releases.
`RELEASE.md` is updated to reference the script and drop the manual instructions.
Version examples are updated from 2.x to 3.x.
The `check_release_notes` CI workflow is extended to also run on `release-*` branches in order for the script to catch commits added to the release note , and the PR template wording is tightened.
Signed-off-by: machine424 <ayoubmrini424@gmail.com>
* promqltest: use AppenderV2 in load command
Switch the PromQL test framework's load command from storage.Appender
to storage.AppenderV2 in appendSample, appendCustomHistogram and
appendTill. ST is set to 0 (unknown) for now; a follow-up will add
per-sample ST specification in load statements.
Signed-off-by: György Krajcsovits <gyorgy.krajcsovits@grafana.com>
Coded with Claude Sonnet 4.6.
Signed-off-by: György Krajcsovits <gyorgy.krajcsovits@grafana.com>
* promqltest: fix unchecked Rollback error
Signed-off-by: György Krajcsovits <gyorgy.krajcsovits@grafana.com>
Coded with Claude Sonnet 4.6.
Signed-off-by: György Krajcsovits <gyorgy.krajcsovits@grafana.com>
---------
Signed-off-by: György Krajcsovits <gyorgy.krajcsovits@grafana.com>
Use writeBitsFast instead of writeBits in putVarbitInt/putVarbitUint,
combining prefix and value into a single call per bucket. Inline the
common fast paths in XOR2 Append to avoid encodeJoint and putVarbitInt
calls for the typical dod=0 and 13-bit dod cases.
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
The debug flag in `promtool test rules` writes diagnostic output
using fmt.Printf to stdout, which can interfere with machine-parseable
output (e.g. JUnit XML via --junit-output) and piped workflows.
Redirect all DEBUG lines to stderr using fmt.Fprintf(os.Stderr, ...),
consistent with the existing error output pattern already present in
the file (line 78).
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
Update functions.md file, change 'standard variance' to 'variance' in function descriptions
Signed-off-by: Pavel Rysnik <126406830+sakuuj@users.noreply.github.com>
