Hiroki Kawahara
Hiroki Kawahara
I tried to reflect the results of the discussion in the code. Does that make sense?
@simonpasquier I remember this PR. Can I have your review to merge this issue? :) I'm sorry for my poor English.
Sorry, I can't figure out how to fix it. 😢 What are real vulnerabilities? The risk of vulnerability is that prom-label-proxy sends a promql query with no matcher injected, isn't...
First of all, if this PR is having a negative impact on the development of prom-label-proxy, please feel free to close it. The behavior of https://github.com/observatorium/api/pull/595 looks like my first...
> I think we should be enforcing on both query params and form data, if both are present. In that case, we can choose not to insert anything with injectMatcher...
> These 3 cases are even more problematic because parser.ParseExpr will produce an error. But, according to Prometheus' docs, match[] is only required in the series call. > > So...
> but reading through the code example you gave I understand it correctly. I didn't have the confidence to express it in words, so I wrote the code as well....
I can't figure out what the route level enforcer is. Where will the route level enforcer be configured, the options are set as prom-label-proxy flags on the starting process, header...
> But I'm just someone from another project trying to upstream a fix. So I'm keen to listen to what maintainers and contributors believe this project should do and what...
> The issue is that different PromQL backends diverged on how they handle query params and form params. There are people out there building platforms on top of prom-label-proxy and...