Skip to content

Fix buffer overflow and add missing documentation for Prometheus v2 endpoint #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 3 commits into from
Closed

Fix buffer overflow and add missing documentation for Prometheus v2 endpoint #1

Copilot wants to merge 3 commits into from

Conversation

Copy link

Copilot AI commented Jan 8, 2026
edited
Loading

Reviewed commit 7849f30 which adds Prometheus v2 output format with automatic label extraction. Found buffer overflow vulnerability and missing user documentation.

Issues Fixed

Buffer Overflow in prometheus_v2_out_stat

Fixed-size 512-byte buffers used with snprintf() for concatenating metric names and labels. Long metric names like proxy.process.cache.volume_0.lookup.success with multiple labels could exceed buffer size, causing truncation.

Before:

char help_buffer[512];
snprintf(help_buffer, sizeof(help_buffer), "# HELP %s %s\n", 
         sanitized_name.c_str(), name);

After:

std::string help_line = "# HELP " + sanitized_name + " " + 
                        std::string(name) + "\n";
APPEND(help_line.c_str());

Missing Documentation

Added documentation for Prometheus v2 format in stats_over_http.en.rst:

  • Endpoint: /_stats/prometheus_v2
  • Accept header: text/plain; version=2.0.0
  • Label parsing behavior and benefits
  • Content-Type header for v2 responses

Review Summary

  • ✅ Efficient implementation using swoc::TextView
  • ✅ Comprehensive compile-time and runtime tests
  • ✅ Backward compatible with v1 format
  • ✅ No additional security issues beyond buffer overflow (fixed)

Full review at /tmp/COMMIT_REVIEW_7849f30.md

Original prompt

Review commit 7849f30

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

itsh3sam and others added 2 commits January 8, 2026 18:38
@itsh3sam
plugins(stats_over_http): Add Prometheus v2 output with metric labels
7849f30 
The current Prometheus output in stats_over_http dumps flattened metric
names (e.g., proxy.process.http.200_responses), which makes it difficult
to aggregate data in Grafana or Prometheus. This adds a new "v2" output
format that parses these names into proper labels like
status="200" or method="GET".

The new format can be accessed via /_stats/prometheus_v2 or by passing
an Accept header with version=2.0.0.

To keep this efficient, the parsing uses swoc::TextView for a zero-
allocation approach. It recognizes common ATS patterns such as status
codes, HTTP methods, cache results, and thread/volume indices. I've
also added deduplication for the HELP and TYPE metadata lines, so that
metrics sharing the same base name (but different labels) are grouped
correctly in the output.

Includes compile-time unit tests (static_assert) to verify the parsing
logic and updated AuTests for the new endpoint.
Initial plan
54c4a0a
@itsh3sam
Fix buffer overflow and add documentation for Prometheus v2
0dc38ec 
Co-authored-by: itsh3sam <81176548+itsh3sam@users.noreply.github.com>
Copilot AI changed the title [WIP] Review commit 7849f30 for quality and consistency Fix buffer overflow and add missing documentation for Prometheus v2 endpoint Jan 8, 2026
Copilot AI requested a review from itsh3sam January 8, 2026 15:22
Copilot AI mentioned this pull request Jan 8, 2026
Closed
@itsh3sam itsh3sam closed this Jan 8, 2026
@itsh3sam itsh3sam deleted the copilot/review-commit-7849f30 branch January 8, 2026 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@itsh3sam itsh3sam Awaiting requested review from itsh3sam

Assignees

@itsh3sam itsh3sam

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@itsh3sam