diff --git a/CHANGELOG.md b/CHANGELOG.md index 14baf6f01d..97cd81d170 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## 3.11.2 / 2026-04-13 + +This release has a fix for a Stored XSS vulnerability that can be triggered via crafted metric names and label values in Prometheus web UI tooltips and metrics explorer. Thanks to Duc Anh Nguyen from TinyxLab for reporting it. + +- [SECURITY] UI: Fix stored XSS via unescaped metric names and labels. CVE-2026-40179. #18506 +- [ENHANCEMENT] Consul SD: Introduce `health_filter` field for Health API filtering. #18499 +- [BUGFIX] Consul SD: Fix filter parameter being incorrectly applied to the Health API. #18499 + ## 3.11.1 / 2026-04-07 - [BUGFIX] Tracing: Fix startup failure for OTLP HTTP tracing with `insecure: true`. #18469 diff --git a/VERSION b/VERSION index 371cfe355d..1e33456831 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.11.1 +3.11.2 diff --git a/config/config_test.go b/config/config_test.go index 286c846ee4..1bbebfd567 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -482,6 +482,7 @@ var expectedConf = &Config{ PathPrefix: "/consul", Token: "mysecret", Services: []string{"nginx", "cache", "mysql"}, + HealthFilter: `Service.Tags contains "canary"`, ServiceTags: []string{"canary", "v1"}, NodeMeta: map[string]string{"rack": "123"}, TagSeparator: consul.DefaultSDConfig.TagSeparator, diff --git a/config/testdata/conf.good.yml b/config/testdata/conf.good.yml index 068f6d4d3e..edc17201bf 100644 --- a/config/testdata/conf.good.yml +++ b/config/testdata/conf.good.yml @@ -182,6 +182,7 @@ scrape_configs: token: mysecret path_prefix: /consul services: ["nginx", "cache", "mysql"] + health_filter: 'Service.Tags contains "canary"' tags: ["canary", "v1"] node_meta: rack: "123" diff --git a/config/testdata/roundtrip.good.yml b/config/testdata/roundtrip.good.yml index 24ab7d2592..d999dafd32 100644 --- a/config/testdata/roundtrip.good.yml +++ b/config/testdata/roundtrip.good.yml @@ -41,6 +41,7 @@ scrape_configs: - server: localhost:1234 token: services: [nginx, cache, mysql] + health_filter: 'Service.Tags contains "canary"' tags: [canary, v1] node_meta: rack: "123" diff --git a/discovery/consul/consul.go b/discovery/consul/consul.go index 4cc4003b2c..a8ffe5e8d3 100644 --- a/discovery/consul/consul.go +++ b/discovery/consul/consul.go @@ -116,9 +116,12 @@ type SDConfig struct { ServiceTags []string `yaml:"tags,omitempty"` // Desired node metadata. As of Consul 1.14, consider `filter` instead. NodeMeta map[string]string `yaml:"node_meta,omitempty"` - // Consul filter string - // See https://www.consul.io/api-docs/catalog#filtering-1, for syntax + // Filter expression for the Catalog API. + // See https://developer.hashicorp.com/consul/api-docs/catalog#filtering for syntax. Filter string `yaml:"filter,omitempty"` + // Filter expression for the Health API. + // See https://developer.hashicorp.com/consul/api-docs/health#filtering for syntax. + HealthFilter string `yaml:"health_filter,omitempty"` HTTPClientConfig config.HTTPClientConfig `yaml:",inline"` } @@ -170,20 +173,21 @@ func (c *SDConfig) UnmarshalYAML(unmarshal func(any) error) error { // Discovery retrieves target information from a Consul server // and updates them via watches. type Discovery struct { - client *consul.Client - clientDatacenter string - clientNamespace string - clientPartition string - tagSeparator string - watchedServices []string // Set of services which will be discovered. - watchedTags []string // Tags used to filter instances of a service. - watchedNodeMeta map[string]string - watchedFilter string - allowStale bool - refreshInterval time.Duration - finalizer func() - logger *slog.Logger - metrics *consulMetrics + client *consul.Client + clientDatacenter string + clientNamespace string + clientPartition string + tagSeparator string + watchedServices []string // Set of services which will be discovered. + watchedTags []string // Tags used to filter instances of a service. + watchedNodeMeta map[string]string + watchedFilter string + watchedHealthFilter string + allowStale bool + refreshInterval time.Duration + finalizer func() + logger *slog.Logger + metrics *consulMetrics } // NewDiscovery returns a new Discovery for the given config. @@ -218,20 +222,21 @@ func NewDiscovery(conf *SDConfig, logger *slog.Logger, metrics discovery.Discove return nil, err } cd := &Discovery{ - client: client, - tagSeparator: conf.TagSeparator, - watchedServices: conf.Services, - watchedTags: conf.ServiceTags, - watchedNodeMeta: conf.NodeMeta, - watchedFilter: conf.Filter, - allowStale: conf.AllowStale, - refreshInterval: time.Duration(conf.RefreshInterval), - clientDatacenter: conf.Datacenter, - clientNamespace: conf.Namespace, - clientPartition: conf.Partition, - finalizer: wrapper.CloseIdleConnections, - logger: logger, - metrics: m, + client: client, + tagSeparator: conf.TagSeparator, + watchedServices: conf.Services, + watchedTags: conf.ServiceTags, + watchedNodeMeta: conf.NodeMeta, + watchedFilter: conf.Filter, + watchedHealthFilter: conf.HealthFilter, + allowStale: conf.AllowStale, + refreshInterval: time.Duration(conf.RefreshInterval), + clientDatacenter: conf.Datacenter, + clientNamespace: conf.Namespace, + clientPartition: conf.Partition, + finalizer: wrapper.CloseIdleConnections, + logger: logger, + metrics: m, } return cd, nil @@ -330,7 +335,7 @@ func (d *Discovery) Run(ctx context.Context, ch chan<- []*targetgroup.Group) { } d.initialize(ctx) - if len(d.watchedServices) == 0 || len(d.watchedTags) != 0 { + if len(d.watchedServices) == 0 || len(d.watchedTags) != 0 || d.watchedFilter != "" { // We need to watch the catalog. ticker := time.NewTicker(d.refreshInterval) @@ -499,7 +504,7 @@ func (srv *consulService) watch(ctx context.Context, ch chan<- []*targetgroup.Gr WaitTime: watchTimeout, AllowStale: srv.discovery.allowStale, NodeMeta: srv.discovery.watchedNodeMeta, - Filter: srv.discovery.watchedFilter, + Filter: srv.discovery.watchedHealthFilter, } t0 := time.Now() diff --git a/discovery/consul/consul_test.go b/discovery/consul/consul_test.go index 32394dcc00..a92e37d4ce 100644 --- a/discovery/consul/consul_test.go +++ b/discovery/consul/consul_test.go @@ -240,8 +240,6 @@ func newServer(t *testing.T) (*httptest.Server, *SDConfig) { response = ServiceTestAnswer case "/v1/health/service/test?wait=120000ms": response = ServiceTestAnswer - case "/v1/health/service/test?filter=NodeMeta.rack_name+%3D%3D+%222304%22&wait=120000ms": - response = ServiceTestAnswer case "/v1/health/service/other?wait=120000ms": response = `[]` case "/v1/catalog/services?node-meta=rack_name%3A2304&stale=&wait=120000ms": @@ -297,7 +295,7 @@ func checkOneTarget(t *testing.T, tg []*targetgroup.Group) { // Watch all the services in the catalog. func TestAllServices(t *testing.T) { stub, config := newServer(t) - defer stub.Close() + t.Cleanup(stub.Close) d := newDiscovery(t, config) @@ -316,7 +314,7 @@ func TestAllServices(t *testing.T) { // targetgroup with no targets is emitted if no services were discovered. func TestNoTargets(t *testing.T) { stub, config := newServer(t) - defer stub.Close() + t.Cleanup(stub.Close) config.ServiceTags = []string{"missing"} d := newDiscovery(t, config) @@ -337,7 +335,7 @@ func TestNoTargets(t *testing.T) { // Watch only the test service. func TestOneService(t *testing.T) { stub, config := newServer(t) - defer stub.Close() + t.Cleanup(stub.Close) config.Services = []string{"test"} d := newDiscovery(t, config) @@ -352,7 +350,7 @@ func TestOneService(t *testing.T) { // Watch the test service with a specific tag and node-meta. func TestAllOptions(t *testing.T) { stub, config := newServer(t) - defer stub.Close() + t.Cleanup(stub.Close) config.Services = []string{"test"} config.NodeMeta = map[string]string{"rack_name": "2304"} @@ -373,61 +371,46 @@ func TestAllOptions(t *testing.T) { <-ch } -// Watch the test service with a specific tag and node-meta via Filter parameter. +// TestFilterOption verifies that when services and filter are both configured, the Catalog API +// is still called and receives the filter parameter, while the Health API does not. func TestFilterOption(t *testing.T) { - stub, config := newServer(t) - defer stub.Close() + var ( + catalogCalled bool + catalogFilter string + healthCalled bool + healthFilter string + ) - config.Services = []string{"test"} - config.Filter = `NodeMeta.rack_name == "2304"` - config.Token = "fake-token" - - d := newDiscovery(t, config) - - ctx, cancel := context.WithCancel(context.Background()) - ch := make(chan []*targetgroup.Group) - go func() { - d.Run(ctx, ch) - close(ch) - }() - checkOneTarget(t, <-ch) - cancel() -} - -// TestFilterOnHealthEndpoint verifies that filter is passed to health service endpoint. -func TestFilterOnHealthEndpoint(t *testing.T) { - filterReceived := false stub := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - response := "" + w.Header().Add("X-Consul-Index", "1") switch r.URL.Path { case "/v1/agent/self": - response = AgentAnswer + w.Write([]byte(AgentAnswer)) + case "/v1/catalog/services": + catalogCalled = true + catalogFilter = r.URL.Query().Get("filter") + w.Write([]byte(`{"test": []}`)) case "/v1/health/service/test": - // Verify filter parameter is present in the query - filter := r.URL.Query().Get("filter") - if filter == `Node.Meta.rack_name == "2304"` { - filterReceived = true - } - response = ServiceTestAnswer + healthCalled = true + healthFilter = r.URL.Query().Get("filter") + w.Write([]byte(ServiceTestAnswer)) default: t.Errorf("Unhandled consul call: %s", r.URL) } - w.Header().Add("X-Consul-Index", "1") - w.Write([]byte(response)) })) - defer stub.Close() + t.Cleanup(stub.Close) stuburl, err := url.Parse(stub.URL) require.NoError(t, err) - config := &SDConfig{ + cfg := &SDConfig{ Server: stuburl.Host, Services: []string{"test"}, - Filter: `Node.Meta.rack_name == "2304"`, + Filter: `NodeMeta.rack_name == "2304"`, RefreshInterval: model.Duration(1 * time.Second), } - d := newDiscovery(t, config) + d := newDiscovery(t, cfg) ctx, cancel := context.WithCancel(context.Background()) ch := make(chan []*targetgroup.Group) @@ -436,10 +419,132 @@ func TestFilterOnHealthEndpoint(t *testing.T) { close(ch) }() checkOneTarget(t, <-ch) + // All handler writes happened-before the channel receive above. + require.True(t, catalogCalled, "Catalog endpoint should be called when filter is set alongside services.") + require.Equal(t, `NodeMeta.rack_name == "2304"`, catalogFilter, "Catalog should receive the filter parameter.") + require.True(t, healthCalled, "Health endpoint should be called.") + require.Empty(t, healthFilter, "Health endpoint should not receive the catalog filter.") cancel() + for range ch { + } +} - // Verify the filter was actually sent to the health endpoint - require.True(t, filterReceived, "Filter parameter should be sent to health service endpoint") +// TestHealthFilterOption verifies that health_filter is passed to the Health API and not to +// the Catalog API. +func TestHealthFilterOption(t *testing.T) { + var ( + catalogCalled bool + catalogFilter string + healthCalled bool + healthFilter string + ) + + stub := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Add("X-Consul-Index", "1") + switch r.URL.Path { + case "/v1/agent/self": + w.Write([]byte(AgentAnswer)) + case "/v1/catalog/services": + catalogCalled = true + catalogFilter = r.URL.Query().Get("filter") + w.Write([]byte(`{"test": []}`)) + case "/v1/health/service/test": + healthCalled = true + healthFilter = r.URL.Query().Get("filter") + w.Write([]byte(ServiceTestAnswer)) + default: + t.Errorf("Unhandled consul call: %s", r.URL) + } + })) + t.Cleanup(stub.Close) + + stuburl, err := url.Parse(stub.URL) + require.NoError(t, err) + + // No services configured: catalog path is always used, allowing us to assert + // that health_filter is not forwarded to the Catalog API. + cfg := &SDConfig{ + Server: stuburl.Host, + HealthFilter: `Service.Tags contains "canary"`, + RefreshInterval: model.Duration(1 * time.Second), + } + + d := newDiscovery(t, cfg) + + ctx, cancel := context.WithCancel(context.Background()) + ch := make(chan []*targetgroup.Group) + go func() { + d.Run(ctx, ch) + close(ch) + }() + checkOneTarget(t, <-ch) + // All handler writes happened-before the channel receive above. + require.True(t, catalogCalled, "Catalog endpoint should be called.") + require.Empty(t, catalogFilter, "Catalog should not receive the health_filter parameter.") + require.True(t, healthCalled, "Health endpoint should be called.") + require.Equal(t, `Service.Tags contains "canary"`, healthFilter, "Health endpoint should receive the health_filter parameter.") + cancel() + for range ch { + } +} + +// TestBothFiltersOption verifies that when both filter and health_filter are configured, +// each filter is sent exclusively to its respective API endpoint. +func TestBothFiltersOption(t *testing.T) { + var ( + catalogCalled bool + catalogFilter string + healthCalled bool + healthFilter string + ) + + stub := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Add("X-Consul-Index", "1") + switch r.URL.Path { + case "/v1/agent/self": + w.Write([]byte(AgentAnswer)) + case "/v1/catalog/services": + catalogCalled = true + catalogFilter = r.URL.Query().Get("filter") + w.Write([]byte(`{"test": []}`)) + case "/v1/health/service/test": + healthCalled = true + healthFilter = r.URL.Query().Get("filter") + w.Write([]byte(ServiceTestAnswer)) + default: + t.Errorf("Unhandled consul call: %s", r.URL) + } + })) + t.Cleanup(stub.Close) + + stuburl, err := url.Parse(stub.URL) + require.NoError(t, err) + + cfg := &SDConfig{ + Server: stuburl.Host, + Services: []string{"test"}, + Filter: `NodeMeta.rack_name == "2304"`, + HealthFilter: `Service.Tags contains "canary"`, + RefreshInterval: model.Duration(1 * time.Second), + } + + d := newDiscovery(t, cfg) + + ctx, cancel := context.WithCancel(context.Background()) + ch := make(chan []*targetgroup.Group) + go func() { + d.Run(ctx, ch) + close(ch) + }() + checkOneTarget(t, <-ch) + // All handler writes happened-before the channel receive above. + require.True(t, catalogCalled, "Catalog endpoint should be called when filter is set.") + require.Equal(t, `NodeMeta.rack_name == "2304"`, catalogFilter, "Catalog should receive only the catalog filter.") + require.True(t, healthCalled, "Health endpoint should be called.") + require.Equal(t, `Service.Tags contains "canary"`, healthFilter, "Health endpoint should receive only the health_filter.") + cancel() + for range ch { + } } func TestGetDatacenterShouldReturnError(t *testing.T) { @@ -471,7 +576,7 @@ func TestGetDatacenterShouldReturnError(t *testing.T) { Token: "fake-token", RefreshInterval: model.Duration(1 * time.Second), } - defer stub.Close() + t.Cleanup(stub.Close) d := newDiscovery(t, config) // Should be empty if not initialized. diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md index 5df743e619..8346f58d1b 100644 --- a/docs/configuration/configuration.md +++ b/docs/configuration/configuration.md @@ -1421,7 +1421,17 @@ subscription_id: ### `` Consul SD configurations allow retrieving scrape targets from [Consul's](https://www.consul.io) -Catalog API. +service catalog. Discovery uses two Consul API endpoints: + +1. The [Catalog API](https://developer.hashicorp.com/consul/api-docs/catalog) to list services + (used when `services` is empty, or when `tags` or `filter` are set). +2. The [Health API](https://developer.hashicorp.com/consul/api-docs/health) to retrieve service + instances and their health status. + +Because these two APIs have different filtering field schemas, Prometheus exposes separate filter +options for each: `filter` applies to the Catalog API and `health_filter` applies to the Health API. +For example, tags are exposed as `ServiceTags` in the Catalog API but as `Service.Tags` in the +Health API. The following meta labels are available on targets during [relabeling](#relabel_config): @@ -1461,17 +1471,18 @@ The following meta labels are available on targets during [relabeling](#relabel_ services: [ - ] -# A Consul Filter expression used to filter the catalog results -# See https://www.consul.io/api-docs/catalog#list-services to know more -# about the filter expressions that can be used. +# Filter expression for the Catalog API. See https://developer.hashicorp.com/consul/api-docs/catalog#filtering for syntax. [ filter: ] -# The `tags` and `node_meta` fields are deprecated in Consul in favor of `filter`. +# Filter expression for the Health API. See https://developer.hashicorp.com/consul/api-docs/health#filtering for syntax. +[ health_filter: ] + +# The `tags` and `node_meta` fields are deprecated in favor of `filter` and `health_filter`. # An optional list of tags used to filter nodes for a given service. Services must contain all tags in the list. tags: [ - ] -# Node metadata key/value pairs to filter nodes for a given service. As of Consul 1.14, consider `filter` instead. +# Node metadata key/value pairs to filter nodes for a given service. As of Consul 1.14, consider `filter` or `health_filter` instead. [ node_meta: [ : ... ] ] diff --git a/web/ui/mantine-ui/package.json b/web/ui/mantine-ui/package.json index 70201106fa..52ac99618c 100644 --- a/web/ui/mantine-ui/package.json +++ b/web/ui/mantine-ui/package.json @@ -1,7 +1,7 @@ { "name": "@prometheus-io/mantine-ui", "private": true, - "version": "0.311.1", + "version": "0.311.2", "type": "module", "scripts": { "start": "vite", @@ -28,7 +28,7 @@ "@microsoft/fetch-event-source": "^2.0.1", "@nexucis/fuzzy": "^0.5.1", "@nexucis/kvsearch": "^0.9.1", - "@prometheus-io/codemirror-promql": "0.311.1", + "@prometheus-io/codemirror-promql": "0.311.2", "@reduxjs/toolkit": "^2.11.2", "@tabler/icons-react": "^3.40.0", "@tanstack/react-query": "^5.95.2", diff --git a/web/ui/module/codemirror-promql/package.json b/web/ui/module/codemirror-promql/package.json index fc7de423a3..8f12a5c31e 100644 --- a/web/ui/module/codemirror-promql/package.json +++ b/web/ui/module/codemirror-promql/package.json @@ -1,6 +1,6 @@ { "name": "@prometheus-io/codemirror-promql", - "version": "0.311.1", + "version": "0.311.2", "description": "a CodeMirror mode for the PromQL language", "types": "dist/esm/index.d.ts", "module": "dist/esm/index.js", @@ -29,7 +29,7 @@ }, "homepage": "https://github.com/prometheus/prometheus/blob/main/web/ui/module/codemirror-promql/README.md", "dependencies": { - "@prometheus-io/lezer-promql": "0.311.1", + "@prometheus-io/lezer-promql": "0.311.2", "lru-cache": "^11.2.7" }, "devDependencies": { diff --git a/web/ui/module/lezer-promql/package.json b/web/ui/module/lezer-promql/package.json index 6b7238522c..23818f2bba 100644 --- a/web/ui/module/lezer-promql/package.json +++ b/web/ui/module/lezer-promql/package.json @@ -1,6 +1,6 @@ { "name": "@prometheus-io/lezer-promql", - "version": "0.311.1", + "version": "0.311.2", "description": "lezer-based PromQL grammar", "main": "dist/index.cjs", "type": "module", diff --git a/web/ui/package-lock.json b/web/ui/package-lock.json index cfa3ccd7fc..01ac81b9f8 100644 --- a/web/ui/package-lock.json +++ b/web/ui/package-lock.json @@ -1,12 +1,12 @@ { "name": "prometheus-io", - "version": "0.311.1", + "version": "0.311.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "prometheus-io", - "version": "0.311.1", + "version": "0.311.2", "workspaces": [ "mantine-ui", "module/*" @@ -24,7 +24,7 @@ }, "mantine-ui": { "name": "@prometheus-io/mantine-ui", - "version": "0.311.1", + "version": "0.311.2", "dependencies": { "@codemirror/autocomplete": "^6.20.1", "@codemirror/language": "^6.12.3", @@ -42,7 +42,7 @@ "@microsoft/fetch-event-source": "^2.0.1", "@nexucis/fuzzy": "^0.5.1", "@nexucis/kvsearch": "^0.9.1", - "@prometheus-io/codemirror-promql": "0.311.1", + "@prometheus-io/codemirror-promql": "0.311.2", "@reduxjs/toolkit": "^2.11.2", "@tabler/icons-react": "^3.40.0", "@tanstack/react-query": "^5.95.2", @@ -88,10 +88,10 @@ }, "module/codemirror-promql": { "name": "@prometheus-io/codemirror-promql", - "version": "0.311.1", + "version": "0.311.2", "license": "Apache-2.0", "dependencies": { - "@prometheus-io/lezer-promql": "0.311.1", + "@prometheus-io/lezer-promql": "0.311.2", "lru-cache": "^11.2.7" }, "devDependencies": { @@ -121,7 +121,7 @@ }, "module/lezer-promql": { "name": "@prometheus-io/lezer-promql", - "version": "0.311.1", + "version": "0.311.2", "license": "Apache-2.0", "devDependencies": { "@lezer/generator": "^1.8.0", diff --git a/web/ui/package.json b/web/ui/package.json index cd2e902c89..cad35c9697 100644 --- a/web/ui/package.json +++ b/web/ui/package.json @@ -1,7 +1,7 @@ { "name": "prometheus-io", "description": "Monorepo for the Prometheus UI", - "version": "0.311.1", + "version": "0.311.2", "private": true, "scripts": { "build": "bash build_ui.sh --all",