Advisories for Swift/Github.com/Swift-Server/Swift-Prometheus package

2024

Un-sanitized metric name or labels can be used to take over exported metrics

In code which applies un-sanitized string values into metric names or labels, like this: let lang = try? request.query-get(String.self, at: "lang") Counter ( label: "language", dimensions: [("lang", lang ?? "unknown" )] ) an attacker could make use of this and send a ?lang query parameter containing newlines, } or similar characters which can lead to the attacker taking over the exported format – including creating unbounded numbers of stored metrics, …