Restrict accepted metric listener HTTP methods (!3109) · Merge requests · GitLab.org / gitlab-runner

Arran Walker requested to merge 27194-restrict-prom-methods into main Aug 25, 2021

What does this MR do?

Prevents us ever easily introducing a denial of service vulnerability via the use of promhttp.

Why was this MR needed?

promhttp can be used in two ways: To return metrics, or be used to wrap and instrument existing HTTP handlers.

We currently only use it to return metrics, so we're not vulnerable to any kind of attack. However, if we were to ever introduce instrumented HTTP handlers, this fix prevents an issue where an unbounded HTTP Method could cause issues with the Prometheus server. This is being added as a security enhancement.

https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27194 goes into more detail.

What's the best way to test this MR?

gitlab-runner run --listen-address ":9252"

# in another terminal
curl -X POST localhost:9252/metrics

# Should output Method Not Allowed

What are the relevant issue numbers?

Closes #27194

Edited Aug 25, 2021 by Arran Walker

Restrict accepted metric listener HTTP methods

What does this MR do?

Why was this MR needed?

What's the best way to test this MR?

What are the relevant issue numbers?

Merge request reports