Testing for HTTP Verb Tampering (OTG-INPVAL-003) failed.

[Charles1000Chen]

Describe the bug

The zhmc prometheus exporter failed in HTTP Verb Tampering tests because it accepts any HTTP verbs. It's expected that only the GET method is accepted. Refer to https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web_application_security_testing/testing_for_http_verb_tampering_otg-inpval-003.html

Expected behavior

The zhmc prometheus exporter only accepts HTTP GET request and all other HTTP requests are rejected with 403 error.

To Reproduce Start zhmc prometheus exporter at the port 9800, then try to send http request to it with verb other than GET:

curl -i -X OPTIONS --cacert --cert --key https://:9800/metrics curl -i -X HEAD --cacert --cert --key https://:9800/metrics curl -i -X POST --cacert --cert --key https://:9800/metrics curl -i -X PUT --cacert --cert --key https://:9800/metrics curl -i -X DELETE --cacert --cert --key https://:9800/metrics curl -i -X TRACE --cacert --cert --key https://:9800/metrics curl -i -X CONNECT --cacert --cert --key https://:9800/metrics ...

Environment information

• Output of zhmc_prometheus_exporter --version:
• HMC version:

Command output For any HTTP verb requests, it returns 200 and metrics data.

HTTP/1.0 200 OK
Date: Mon, 27 Mar 2024 01:18:07 GMT
Server: WSGIServer/0.2 CPython/3.10.12
Content-Type: text/plain; version=0.0.4; charset=utf-8
Content-Length: 533576
…...

Log file <-- If possible, attach a log file generated with '--log-comp all=debug --log exporter.log'. -->

[andy-maier]

Good point, Chen Mu. Will be fixed.

[andy-maier]

I have raised this as an issue against the prometheus_client package: https://github.com/prometheus/client_python/issues/1018

[andy-maier]

I have submitted a PR on the prometheus_client package to address the issue there.

We need to wait for a reaction and use an updated version.