Without the return, a successful respond() call would always follow
the error response, writing a second body to an already-written
ResponseWriter and producing a malformed HTTP response.
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
This adds a /api/v1/status/self_metrics endpoint that allows the frontend to
fetch metrics about the server itself, making it easier to construct frontend
pages that show the current server state. This is needed because fetching
metrics from its own /metrics endpoint would be both hard to parse and also
require CORS permissions on that endpoint (for cases where the frontend
dashboard is not the same origin, at least).
Signed-off-by: Julius Volz <julius.volz@gmail.com>
Metric names, label names, and label values containing HTML/JavaScript were
inserted into `innerHTML` without escaping in several UI code paths, enabling
stored XSS attacks via crafted metrics. This mostly becomes exploitable in
Prometheus 3.x, since it defaults to allowing any UTF-8 characters in metric
and label names.
Apply `escapeHTML()` to all user-controlled values before innerHTML
insertion in:
* Mantine UI chart tooltip
* Old React UI chart tooltip
* Old React UI metrics explorer fuzzy search
* Old React UI heatmap tooltip
See https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99
Signed-off-by: Julius Volz <julius.volz@gmail.com>
See the migration guide at https://mantine.dev/guides/8x-to-9x/
- Update all @mantine/* packages from 8.x to 9.x
- Rename Collapse `in` prop to `expanded` (breaking change)
- Set defaultRadius to 'sm' to preserve v8 appearance
- Manually set stacked/unstacked control font-weight back to 500 again
- Remove custom Accordion fork, use Mantine 9's built-in
Accordion with `keepMounted={false}` for the same behavior
Signed-off-by: Julius Volz <julius.volz@gmail.com>
Metric names, label names, and label values containing HTML/JavaScript were
inserted into `innerHTML` without escaping in several UI code paths, enabling
stored XSS attacks via crafted metrics. This mostly becomes exploitable in
Prometheus 3.x, since it defaults to allowing any UTF-8 characters in metric
and label names.
Apply `escapeHTML()` to all user-controlled values before innerHTML
insertion in:
* Mantine UI chart tooltip
* Old React UI chart tooltip
* Old React UI metrics explorer fuzzy search
* Old React UI heatmap tooltip
See https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99
Signed-off-by: Julius Volz <julius.volz@gmail.com>
* promql: add test for info() with data label matcher when info series goes stale
When info() is called with a data label matcher that doesn't match
the empty string (e.g. {data=~".+"}), samples at timestamps where
no info series is available should be dropped rather than falling
back to the original un-enriched series.
This case was missing from the test suite.
* docs: document info() behavior when info series is unavailable
Document that when no matching info series exists at a timestamp,
data label matchers that don't match the empty string cause the
sample to be dropped, while empty-matching matchers or no selector
return the series unenriched.
* promql: add test cases for info() fallback when info series goes stale
Add test cases for info(metric, {data=~".*"}) and info(metric) to
complement the existing info(metric, {data=~".+"}) test case, making
the behavioral contrast explicit: empty-matching matchers and no
selector fall back to the unenriched series, while non-empty-matching
matchers drop the sample.
---------
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
Use the same dayjs + useLocalTime pattern from the query page's
TimeInput component so the datetime pickers respect the user's
global "use local time" setting. Adds valueFormat with seconds
precision and stores timestamps as milliseconds internally.
Signed-off-by: Vijay Govindarajan <vijay.govindarajan91@gmail.com>
Address review feedback from juliusv:
- Move delete series UI into the existing TSDB Status page instead of
creating a new top-level page, keeping the navigation minimal
- Use Textarea instead of TextInput for multi-line series selectors
- Use DateTimePicker from @mantine/dates for time range inputs
- Separate error/success states for delete vs clean tombstones
operations, showing alerts in the appropriate card
- Fix warning text to use quoted "Clean Tombstones"
- Remove standalone DeleteSeriesPage.tsx, revert App.tsx routing and
settingsSlice.ts changes
Signed-off-by: Vijay Govindarajan <vijay.govindarajan91@gmail.com>
Without this, navigating directly to /delete-series under a path
prefix (e.g. /prometheus/delete-series) would fail to detect the
prefix correctly.
Signed-off-by: Vijay Govindarajan <vijay.govindarajan91@gmail.com>
Adds a web UI page for the delete_series and clean_tombstones admin
APIs, making it easier to manage time series data without using curl
commands directly.
The page provides:
- A form to specify PromQL series selectors for deletion
- Optional start/end time range filters
- A clean tombstones button to reclaim disk space after deletion
- Warning and confirmation feedback
Fixes#17010
Signed-off-by: Vijay Govindarajan <vijay.govindarajan91@gmail.com>
The retention.percentage config field was typed as uint, which silently
truncated fractional values. Setting percentage: 1.5 in prometheus.yml
resulted in a retention of 1%, with no warning or error.
Remove the redundant MaxPercentage > 100 clamp in main.go; the config
UnmarshalYAML already returns an error for out-of-range values before
this code is reached.
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
getBoundingClientRect() was cached in the setSize hook, which only fires
on chart creation/resize. The cached viewport-relative coordinates became
stale after scrolling, causing the tooltip to appear increasingly offset
on charts further down the page.
Fixed by calling getBoundingClientRect() on every setCursor invocation to
always get accurate viewport-relative coordinates.
Signed-off-by: Julius Volz <julius.volz@gmail.com>
This adds the `--mantine-ui` switch to `web/ui/build_ui.sh` which
allows to build without the old react UI. If built with only the mantine
ui and started with `--enable-features=old-ui` the user will get a 404
response on th web port.
Signed-off-by: Jan Fajerski <jfajersk@redhat.com>
Introduce DefaultTSDBRetentionConfig, populated from CLI flags before any
config file is loaded, so that retention falls back to CLI flags when the
config file has no storage.tsdb section. Config.UnmarshalYAML always injects
a non-nil TSDBConfig with those defaults, removing the need for nil checks in
main.go. ApplyConfig in web.go now propagates retention settings on each
config reload so the runtime info endpoint stays up to date.
Signed-off-by: Julien Pivotto <291750+roidelapluie@users.noreply.github.com>
