Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
4cc9d3e2
Commit
4cc9d3e2
authored
May 26, 2020
by
GitLab Bot
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee
parent
e81a7b71
Changes
4
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
121 additions
and
134 deletions
+121
-134
app/services/prometheus/proxy_variable_substitution_service.rb
...ervices/prometheus/proxy_variable_substitution_service.rb
+29
-17
changelogs/unreleased/security-use-gsub-variable-substitution.yml
...gs/unreleased/security-use-gsub-variable-substitution.yml
+5
-0
locale/gitlab.pot
locale/gitlab.pot
+0
-3
spec/services/prometheus/proxy_variable_substitution_service_spec.rb
...es/prometheus/proxy_variable_substitution_service_spec.rb
+87
-114
No files found.
app/services/prometheus/proxy_variable_substitution_service.rb
View file @
4cc9d3e2
...
...
@@ -4,6 +4,16 @@ module Prometheus
class
ProxyVariableSubstitutionService
<
BaseService
include
Stepable
VARIABLE_INTERPOLATION_REGEX
=
/
%{ # Variable needs to be wrapped in these chars.
\s* # Allow whitespace before and after the variable name.
(?<variable> # Named capture.
\w+ # Match one or more word characters.
)
\s*
}
/x
.
freeze
steps
:validate_variables
,
:add_params_to_result
,
:substitute_params
,
...
...
@@ -46,37 +56,39 @@ module Prometheus
success
(
result
)
end
def
substitute_
liquid
_variables
(
result
)
def
substitute_
ruby
_variables
(
result
)
return
success
(
result
)
unless
query
(
result
)
result
[
:params
][
:query
]
=
TemplateEngines
::
LiquidService
.
new
(
query
(
result
)).
render
(
full_context
)
result
[
:params
][
:query
]
=
gsub
(
query
(
result
),
full_context
)
success
(
result
)
rescue
TemplateEngines
::
LiquidService
::
RenderError
=>
e
error
(
e
.
message
)
end
def
substitute_
ruby
_variables
(
result
)
def
substitute_
liquid
_variables
(
result
)
return
success
(
result
)
unless
query
(
result
)
# The % operator doesn't replace variables if the hash contains string
# keys.
result
[
:params
][
:query
]
=
query
(
result
)
%
predefined_context
.
symbolize_keys
result
[
:params
][
:query
]
=
TemplateEngines
::
LiquidService
.
new
(
query
(
result
)).
render
(
full_context
)
success
(
result
)
rescue
TypeError
,
ArgumentError
=>
exception
log_error
(
exception
.
message
)
Gitlab
::
ErrorTracking
.
track_exception
(
exception
,
{
template_string:
query
(
result
),
variables:
predefined_context
})
rescue
TemplateEngines
::
LiquidService
::
RenderError
=>
e
error
(
e
.
message
)
end
error
(
_
(
'Malformed string'
))
def
gsub
(
string
,
context
)
# Search for variables of the form `%{variable}` in the string and replace
# them with their value.
string
.
gsub
(
VARIABLE_INTERPOLATION_REGEX
)
do
|
match
|
# Replace with the value of the variable, or if there is no such variable,
# replace the invalid variable with itself. So,
# `up{instance="%{invalid_variable}"}` will remain
# `up{instance="%{invalid_variable}"}` after substitution.
context
.
fetch
(
$~
[
:variable
],
match
)
end
end
def
predefined_context
@predefined_context
||=
Gitlab
::
Prometheus
::
QueryVariables
.
call
(
@environment
)
Gitlab
::
Prometheus
::
QueryVariables
.
call
(
@environment
).
stringify_keys
end
def
full_context
...
...
changelogs/unreleased/security-use-gsub-variable-substitution.yml
0 → 100644
View file @
4cc9d3e2
---
title
:
Use `gsub` instead of the Ruby `%` operator to perform variable substitution in Prometheus proxy API
merge_request
:
author
:
type
:
security
locale/gitlab.pot
View file @
4cc9d3e2
...
...
@@ -12434,9 +12434,6 @@ msgstr ""
msgid "Makes this issue confidential."
msgstr ""
msgid "Malformed string"
msgstr ""
msgid "Manage"
msgstr ""
...
...
spec/services/prometheus/proxy_variable_substitution_service_spec.rb
View file @
4cc9d3e2
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment