*What happened*: using burp scanner to scan the Prometheus server, it reports a *SQL injection attack* with high severity.I am using Prometheus 2.16 version.
Please find the Request and Response details below. Request GET /api/v1/query?query=time()'&_=1588065331449 HTTP/1.1 Host: x.x.x.x:9090 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://x.x.x.x:9090/graph X-Requested-With: XMLHttpRequest Connection: close Response HTTP/1.1 400 Bad Request Content-Type: application/json Date: Tue, 28 Apr 2020 09:18:26 GMT Content-Length: 123 Connection: close {"status":"error","errorType":"bad_data","error":"invalid parameter 'query': 1:7: parse error: unterminated quoted string"} *What you expected to happen*: no high level attacks -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/6f8dc289-216c-433c-a0f7-0d07d679cd05%40googlegroups.com.
