Swift Prometheus 2.0.0-alpha.1: Metric name and label sanitization vulnerability

Hello everyone,
we recently received a report that SwiftPrometheus was not escaping names of metrics, labels and label values.

We discussed in depth and adjusted the library to perform sanitization of metric names and label names, according to the prometheus spec.

Please do read the detailed vulnerability report and always validate not-trusted inputs before emitting them into libraries, as even with this patch malicious inputs.

See the full vulnerability report on github: Un-sanitized metric name or labels can be used to take over exported metrics · Advisory · swift-server/swift-prometheus · GitHub

And please update to 2.0.0-alpha.2 if currently using the alpha.1.

We would like to thank Jonas Dörr for bringing our attention to the issue, and @fabianfett for discussing and collaborating on an appropriate fix.

1 Like