Software /
code /
prosody
Annotate
util/statsd.lua @ 12181:783056b4e448 0.11 0.11.12
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
author | Jonas Schäfer <jonas@wielicki.name> |
---|---|
date | Mon, 10 Jan 2022 18:23:54 +0100 (2022-01-10) |
parent | 7988:dc758422d896 |
child | 10924:0c072dd69603 |
rev | line source |
---|---|
7522
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 local socket = require "socket"; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 |
7988
dc758422d896
util.statistics,statsd,throttle,timer: Replace dependency on LuaSockect with util.time for precision time
Kim Alvefur <zash@zash.se>
parents:
7701
diff
changeset
|
3 local time = require "util.time".now |
7522
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 local function new(config) |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 if not config or not config.statsd_server then |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 return nil, "No statsd server specified in the config, please see https://prosody.im/doc/statistics"; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 end |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 local sock = socket.udp(); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 sock:setpeername(config.statsd_server, config.statsd_port or 8125); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 local prefix = (config.prefix or "prosody").."."; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 local function send_metric(s) |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 return sock:send(prefix..s); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 end |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 local function send_gauge(name, amount, relative) |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 local s_amount = tostring(amount); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 if relative and amount > 0 then |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 s_amount = "+"..s_amount; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 end |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 return send_metric(name..":"..s_amount.."|g"); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 end |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 local function send_counter(name, amount) |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 return send_metric(name..":"..tostring(amount).."|c"); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 end |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 local function send_duration(name, duration) |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 return send_metric(name..":"..tostring(duration).."|ms"); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 end |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 local function send_histogram_sample(name, sample) |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 return send_metric(name..":"..tostring(sample).."|h"); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 end |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 local methods; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 methods = { |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 amount = function (name, initial) |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 if initial then |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 send_gauge(name, initial); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 end |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 return function (new_v) send_gauge(name, new_v); end |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 end; |
7701
672a863105f6
util.statsd: Ignore unused argument [luacheck]
Kim Alvefur <zash@zash.se>
parents:
7522
diff
changeset
|
47 counter = function (name, initial) --luacheck: ignore 212/initial |
7522
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 return function (delta) |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 send_gauge(name, delta, true); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 end; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 end; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 rate = function (name) |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 return function () |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 send_counter(name, 1); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 end; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 end; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 distribution = function (name, unit, type) --luacheck: ignore 212/unit 212/type |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 return function (value) |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 send_histogram_sample(name, value); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 end; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 end; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
62 sizes = function (name) |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
63 name = name.."_size"; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
64 return function (value) |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 send_histogram_sample(name, value); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
66 end; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
67 end; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
68 times = function (name) |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
69 return function () |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
70 local start_time = time(); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
71 return function () |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
72 local end_time = time(); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
73 local duration = end_time - start_time; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
74 send_duration(name, duration*1000); |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
75 end |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
76 end; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
77 end; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
78 }; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
79 return methods; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
80 end |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
81 |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
82 return { |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
83 new = new; |
ebf2e77ac8a7
statsmanager, util.statsd: Add built-in statsd provider
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
84 } |