pierrelf.com / grain
Rust implementation of OCI Distribution Spec with granular access control
fork atom

Metrics cardinality explosion from unmatched catch-all routes #3

open opened by pierrelf.com

Problem#

The catch-all routes in meta.rs match every unhandled path, and the metrics middleware in middleware.rs records each unique path as-is (the normalize_endpoint function only normalizes known /v2/ and /admin/ patterns). In production, bots and scanners generate hundreds of unique paths like /.env, /.git/config, /wp-login.php, /robots.txt, etc.

Each unique path creates a new time series in Prometheus, leading to unbounded cardinality growth.

Two bugs here#

  1. Metrics cardinality: normalize_endpoint() has no fallback for unknown paths, so every unique scanner path becomes its own metric label. Should map unrecognized paths to a generic label like /_other.

  2. Catch-all returns 200: The catch-all handlers in meta.rs return a 200 status with plain text "Not found" instead of a proper 404 StatusCode. This confuses monitoring and makes it look like every scanner probe succeeds.

Files to modify#

  • src/middleware.rs - Add fallback normalization in normalize_endpoint()
  • src/meta.rs - Return StatusCode::NOT_FOUND instead of implicit 200
sign up or login to add to the discussion
Labels

None yet.

assignee

None yet.

Participants 1
AT URI
at://did:plc:meotu43t6usg4qdwzenk4s2t/sh.tangled.repo.issue/3mfkg6pgztq2q