Open Charles1000Chen opened 3 months ago
Good point, Chen Mu. Will be fixed.
I have raised this as an issue against the prometheus_client package: https://github.com/prometheus/client_python/issues/1018
I have submitted a PR on the prometheus_client package to address the issue there.
We need to wait for a reaction and use an updated version.
Describe the bug
The zhmc prometheus exporter failed in HTTP Verb Tampering tests because it accepts any HTTP verbs. It's expected that only the GET method is accepted. Refer to https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web_application_security_testing/testing_for_http_verb_tampering_otg-inpval-003.html
Expected behavior
The zhmc prometheus exporter only accepts HTTP GET request and all other HTTP requests are rejected with 403 error.
To Reproduce Start zhmc prometheus exporter at the port 9800, then try to send http request to it with verb other than GET:
curl -i -X OPTIONS --cacert --cert --key https://:9800/metrics
curl -i -X HEAD --cacert --cert --key https://:9800/metrics
curl -i -X POST --cacert --cert --key https://:9800/metrics
curl -i -X PUT --cacert --cert --key https://:9800/metrics
curl -i -X DELETE --cacert --cert --key https://:9800/metrics
curl -i -X TRACE --cacert --cert --key https://:9800/metrics
curl -i -X CONNECT --cacert --cert --key https://:9800/metrics
...
Environment information
zhmc_prometheus_exporter --version
:Command output For any HTTP verb requests, it returns 200 and metrics data.
Log file <-- If possible, attach a log file generated with '--log-comp all=debug --log exporter.log'. -->