search

Mikesch-mp / icingaweb2-module-grafana

Grafana module for Icinga Web 2 (supports InfluxDB & Graphite)
https://icinga.com/community/
GNU General Public License v2.0
240 stars 93 forks source link

Denial of service by visiting a URL #261

Closed jschmidt-1 closed 1 year ago

jschmidt-1 commented 3 years ago

By visiting a prepared link you can effectively overload the rendering machine, because the threads do not exit.

Expected Behavior

When visiting the prepared link it either should return a graph (probably a new feature) or gracefully exit with an error.

Current Behavior

It creates new rendering threads for each call. From the client side it results in a gateway timeout, but the rendering machine has lingering rendering threads which must be killed manually.

Steps to Reproduce (for bugs)

  1. Have icinga2 and this grafana module configured in proxy mode and running, same for influxdb and grafana
  2. Visit a link pointing to grafana/show, e.g. https://example.org/icingaweb2/grafana/show?host=$valid_hostname$&service=$invalid_service$
  3. Revisit the link multiple times
  4. Monitor client status and rendering threads, we see multiple chrome threads on the rendering machine hogging CPU time and memory

Context

I tried adding a graph to icinga2's dashboard without a real service behind so I explored the modules possibilities. This is still inconclusive, but unrelated to this issue. This attempt ended with an alert about load and memory consumption which required manual intervention. This seems to at least only be possible for logged in users.

Your Environment

New setup, everything is running on the same machine.

Mikesch-mp commented 1 year ago

Can't reproduce it. The load goes high because the user run (allowed by permission) to show all graphs of a host. running multible time will spawn a lot of chrome threads. but load goes down once all is rendered.