From a77044ca71446fb43dc6bc3d2a4b286198a31d9c Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sun, 21 Feb 2021 16:42:00 +0000
Subject: [PATCH] Relax metrics arg validation

---
 node/metrics.go | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/node/metrics.go b/node/metrics.go
index d0bc92d3..74a80481 100644
--- a/node/metrics.go
+++ b/node/metrics.go
@@ -7,7 +7,6 @@ import (
 	"flag"
 	"log"
 	"net/http"
-	"regexp"
 	"strings"
 	"time"
 
@@ -80,9 +79,6 @@ func (p *metricsProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	})
 }
 
-// Regexp used to validate query arguments.
-var argRx = regexp.MustCompile(`^[-_.a-zA-Z0-9]*$`)
-
 func (p *metricsProxy) queryFromRequest(r *http.Request) (string, v1.Range, error) {
 	name := r.FormValue("query")
 	d, err := time.ParseDuration(r.FormValue("t"))
@@ -90,8 +86,9 @@ func (p *metricsProxy) queryFromRequest(r *http.Request) (string, v1.Range, erro
 		d = time.Hour
 	}
 
+	// We only care that the argument does not contain quotes.
 	arg := r.FormValue("arg")
-	if !argRx.MatchString(arg) {
+	if strings.Contains(arg, "\"") {
 		return "", v1.Range{}, errors.New("bad argument")
 	}
 	q, ok := knownQueries[name]
-- 
GitLab