Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: frontend middleware to block matching urls #3963

Merged
merged 7 commits into from
Aug 16, 2024
Merged

feat: frontend middleware to block matching urls #3963

merged 7 commits into from
Aug 16, 2024

Conversation

javiermolinar
Copy link
Contributor

@javiermolinar javiermolinar commented Aug 14, 2024
edited
Loading

What this PR does:
It provides a mechanism to refuse requests based on a regex blacklist. A new middleware was created and executed the first in the query pipeline. Any request that matches will return a 400 status code response.

Due to the way we build the pipeline I decided to make the new middleware as an AsyncMiddleware, that way it can be executed first in the chain. We should explore the possibility of having just one type of middleware so that they can run in any order regardless of their work.

Which issue(s) this PR fixes:
Fixes #3769

Checklist

  • Tests updated
  • Documentation added
  • CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

@joe-elliott joe-elliott mentioned this pull request Aug 14, 2024
Closed
3 tasks
joe-elliott
joe-elliott reviewed Aug 16, 2024
View reviewed changes
modules/frontend/pipeline/deny_list_middleware.go Outdated
func (c urlDenylistWare) validateRequest(url string) error {
for _, v := range c.denyList {
if v.MatchString(url) {
return fmt.Errorf("Invalid request %s, URL is blacklisted", url)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will likely show up in Grafana, let's try:

"Invalid request %s. This query has been identified as one that destabilizes our system. Contact your system administrator for more information"

@joe-elliott joe-elliott merged commit 3e20eb2 into grafana:main Aug 16, 2024
17 checks passed
@javiermolinar javiermolinar deleted the url-black-list branch August 16, 2024 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joe-elliott joe-elliott joe-elliott approved these changes

@knylander-grafana knylander-grafana Awaiting requested review from knylander-grafana knylander-grafana is a code owner

@annanay25 annanay25 Awaiting requested review from annanay25

@mdisibio mdisibio Awaiting requested review from mdisibio mdisibio is a code owner

@mapno mapno Awaiting requested review from mapno mapno is a code owner

@yvrhdn yvrhdn Awaiting requested review from yvrhdn yvrhdn is a code owner

@zalegrala zalegrala Awaiting requested review from zalegrala zalegrala is a code owner

@electron0zero electron0zero Awaiting requested review from electron0zero electron0zero is a code owner

@ie-pham ie-pham Awaiting requested review from ie-pham ie-pham is a code owner

@stoewer stoewer Awaiting requested review from stoewer stoewer is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create a configurable list of TraceQL queries that are immediately 400'ed
2 participants
@javiermolinar @joe-elliott