Comments (7)
zekker6
commented on July 23, 2024
3
From the security POV this seems to be a very good suggestion, thanks @wasim-nihal!
It would be important to make sure that all credentials comparison functions will be converted to constant time comparison.
from victoriametrics.
hagen1778
commented on July 23, 2024
2
I like this proposal as well!
from victoriametrics.
hagen1778
commented on July 23, 2024
2
#6423 was merged and will be available in the next release.
from victoriametrics.
wasim-nihal
commented on July 23, 2024
1
Thanks, @zekker6 , @hagen1778 for accepting the proposal!!
It would be important to make sure that all credentials comparison functions will be converted to constant time comparison.
As of now, I have taken note of only authkey and basic auth credential comparison. I will explore the codebase a bit more and see where such similar comparisons are made and open the PRs (maybe in stages). Any heads-up would be helpful 🚀
from victoriametrics.
Haleygo
commented on July 23, 2024
@zekker6 @f41gh7 @hagen1778 Could you share some thoughts here?
from victoriametrics.
valyala
commented on July 23, 2024
FYI, I reverted the commit 9b7e532 in 82d6394 . See commit description for the reasons of the revert.
from victoriametrics.
valyala
commented on July 23, 2024
Additional notes regarding this issue additionally to comments at 82d6394 : it is expected that all the VictoriaMetrics components run in protected private networks - see these docs. The only component, which can be exposed to the public Internet is vmauth. If we are going to fix real security issues (if they really exist), then they must be fixed at vmauth at first.
from victoriametrics.
Related Issues (20)
- victorialogs vmui: unresponsive after query execution HOT 1
- Random inconsistent results in query operations from the same instance and exporter HOT 10
- vmalert: replay exit with status 0 when generated samples are not successfully pushed HOT 2
- How to optimize the cross AZ traffic cost of vmagent in AWS eks clusters HOT 7
- After the vmstorage-retentionPeriod is changed, the disk usage increases instead of being released HOT 2
- Add Data Ingestion Section to Documentation
- Feature request: show link to VM query UI from vmalert HOT 1
- how can I implement sending metrics to telegram using vmalert HOT 1
- Whether to add additional metrics to remoteWrite Client in vmalert HOT 7
- I have three storage nodes. Why is the data volume of storage nodes not balanced? HOT 3
- vmui for VictoriaLogs: show top 5 log streams in the bar chart HOT 2
- Cisco APs to Victorialogs is crashing "runtime error: index out of range [0] with length 0" HOT 4
- Something like `min_over_time` that considers `default` operator as well HOT 2
- vmbackupmanager : metrics vm_backup_last_run_failed seems to be false HOT 1
- bug: MetricsQL: sum_over_time no de-duplication leads to a doubling of the aggregated data HOT 1
- victorialogs: some queries with logical filter return unexpected results
- confuse about the DeduplicateInterval in dedup_test.go
- Web UI for VictoriaLogs: show spinner at bar chart until the corresponding /select/logsql/hits response is returned
- Web UI for VictoriaLogs: show JSON with a single field in compact view at the JSON tab
- [VictoriaLogs] support data ingestion from otlp or otlphttp exporter of otel-collector HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from victoriametrics.