-
Notifications
You must be signed in to change notification settings - Fork 833
Enforce HTTP method required by most API endpoints #3228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce HTTP method required by most API endpoints #3228
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks.
I would suggest that we enforce specifying method by changing RegisterRoute
signature to have one required method and fixing remaining places.
func (a *API) RegisterRoute(path string, handler http.Handler, auth bool, method string, methods ...string) {
I think the same should be done in RegisterRoutesWithPrefix
(used by alertmanager only), but that requires bit more research about which methods are required there. It's not currently clear, as AlertManager
acts as a mux itself.
Approving so you can decide the best course of action.
/cc @jtlisi |
Signed-off-by: Marco Pracucci <[email protected]>
Signed-off-by: Marco Pracucci <[email protected]>
5e5c4b8
to
105b2d0
Compare
I've enforced it in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
- `GET|POST /ring` | ||
- `GET|POST /store-gateway/ring` | ||
- `GET|POST /compactor/ring` | ||
- `GET|POST /ingester/flush` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps we should make /flush, /shutdown and push POST-only? It would make flush and shutdown links on index page not working from browser, which may be a good thing (no accidental click from browser, or prefetching, or recursive link-following robots).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
push POST-only
It is POST only but the CHANGELOG was wrong. Fixed, thanks!
Perhaps we should make /flush, /shutdown
I agree would be safer. If do so, we should consider:
- Change
tools/migrate-ingester-statefulsets.sh
because callsGET /shutdown
, but then we would have to use something different thanwget
(andcurl
is not available in Cortex images) - We would have to remove these links from the
/
HTML page because if you click on that they will fail (so there's no point linking them, the https://cortexmetrics.io/docs/api/ will be enough)
Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Change
tools/migrate-ingester-statefulsets.sh
because callsGET /shutdown
, but then we would have to use something different thanwget
(andcurl
is not available in Cortex images)
Valid point. What about we include little tool in the image to call those endpoints? We could fix another problems with included wget too -- it doesn't like 204. I'd suggest separate PR for all that.
- We would have to remove these links from the
/
HTML page because if you click on that they will fail (so there's no point linking them, the https://cortexmetrics.io/docs/api/ will be enough)
I would keep them in the index page (it's useful to know that given Cortex supports it), but add a note that they are POST-only.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Valid point. What about we include little tool in the image to call those endpoints? We could fix another problems with included wget too -- it doesn't like 204. I'd suggest separate PR for all that.
I've the feeling it's overkilled. Installing curl
in our Docker images could be just easier.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
curl
also doesn't like 204 and returns non-zero exit code. We could simplify our script if we had this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to making them POST
only!
+1 to showing them in index page but mention that they only support POST
.
Not too familiar with the script though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you agree if I do it in a separate PR? We need to find a solution for the wget
replacement and I would like to avoid blocking this PR because of that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you agree if I do it in a separate PR? We need to find a solution for the
wget
replacement and I would like to avoid blocking this PR because of that.
Absolutely
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opened an issue for /flush and /shutdown:
#3243
a.indexPage.AddLink(SectionAdminEndpoints, "/multitenant_alertmanager/status", "Alertmanager Status") | ||
// Ensure this route is registered before the prefixed AM route | ||
a.RegisterRoute("/multitenant_alertmanager/status", am.GetStatusHandler(), false) | ||
a.RegisterRoute("/multitenant_alertmanager/status", am.GetStatusHandler(), false, "GET") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gotjosh Do you see problem with this?
Signed-off-by: Marco Pracucci <[email protected]>
…tex#3228) * Enforce HTTP method required by most API endpoints Signed-off-by: Marco Pracucci <[email protected]> * Enforced method to api.RegisterRoute() Signed-off-by: Marco Pracucci <[email protected]> * Small fixes Signed-off-by: Marco Pracucci <[email protected]>
What this PR does:
We had some API endpoints which allowed any HTTP method, while they were clearly only
GET
and/orPOST
. This is particularly insidious if someone misconfigure Prometheus and remote writes to/
because that POST requests will succeed while they shouldn't.In this PR I'm fixing it.
Which issue(s) this PR fixes:
Fixes #3227
Checklist
CHANGELOG.md
updated - the order of entries should be[CHANGE]
,[FEATURE]
,[ENHANCEMENT]
,[BUGFIX]