-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Safer get param handling for prom queries #6958
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Safer get param handling for prom queries #6958
Conversation
Thank you for your contribution! 🙏 Please understand that we will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected. While you are waiting, make sure to:
Once the initial tests are successful, a KEDA member will ensure that the e2e tests are run. Once the e2e tests have been successfully completed, the PR may be merged at a later date. Please be patient. Learn more about our contribution guide. |
logger: logr.Discard(), | ||
} | ||
|
||
value, err := scaler.ExecutePromQuery(context.TODO()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Semgrep identified an issue in your code:
Consider to use well-defined context
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>
for false positive/ar <comment>
for acceptable risk/other <comment>
for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by context-todo.
You can view more details about this finding in the Semgrep AppSec Platform.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/ar acceptable in test
logger: logr.Discard(), | ||
} | ||
|
||
value, err := scaler.ExecutePromQuery(context.TODO()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Semgrep identified an issue in your code:
Consider to use well-defined context
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>
for false positive/ar <comment>
for acceptable risk/other <comment>
for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by context-todo.
You can view more details about this finding in the Semgrep AppSec Platform.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/ar acceptable in test
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR improves the handling of query parameters and URL construction in the Prometheus scaler by replacing manual string formatting with the net/url library for safer URL construction. This change prevents issues when server addresses contain trailing slashes and ensures proper escaping of special characters in query parameters.
- Replaces
fmt.Sprintf
URL construction withnet/url
package functions for safer parameter handling - Uses
url.Values
to properly encode query parameters instead of manual escaping - Handles trailing slash behavior consistently across different server address configurations
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
File | Description |
---|---|
pkg/scalers/prometheus_scaler.go | Updates ExecutePromQuery to use net/url for URL construction and parameter encoding |
pkg/scalers/prometheus_scaler_test.go | Adds comprehensive tests for special characters and trailing slash handling scenarios |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Co-authored-by: Copilot <[email protected]> Signed-off-by: Mark Carey <[email protected]>
/run-e2e prometheus |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kogent could you please fix the DCO?
Also please update changelog (Other section)
The use of fmt.Sprintf to build the query url doesn't handle all the query cases possible with prometheus and breaks for serverAddress configs with trailing slashes. This PR uses net/url library functions to build the query string safely.
The tests added failed prior to the change proposed and pass after. All existing tests pass.
A future PR would ideally also support POST for sending queries, but this is a good first step.
Checklist
Fixes #
Relates to #