search

ricoberger / script_exporter

Prometheus exporter to execute scripts and collect metrics from the output or the exit status.
MIT License
354 stars 82 forks source link

how to disable param config in url (security concern) #68

Closed LeoQuote closed 1 year ago

LeoQuote commented 1 year ago

params can be edited in url config , that's a good feature , but also could be a security problem, can we disable this feature

I tried

  - name: "echo"
    script: "echo"
  - name: "echo2"
    command: "echo"

but they both support command param customize.

http://localhost:9469/probe?script=echo&params=s,t&s=foo&t=bar
http://localhost:9469/probe?script=echo2&params=s,t&s=foo&t=bar

both web page shows foo bar, meaning the parameter in web url is passed to the command excuting, which could lead to a security problem.

LeoQuote commented 1 year ago

ok, seems it could be done with 

script_exporter -noargs