mirror of
https://github.com/tiennm99/litellm.git
synced 2026-07-06 23:08:16 +00:00
6a5ecafdff
`get_daily_spend_from_prometheus` was interpolating the `api_key` query parameter into a PromQL `hashed_api_key="..."` label matcher with an f-string. Any caller of `/global/spend/logs` could inject a bare `"` to terminate the matcher and append arbitrary PromQL operators or extra metric selectors, exfiltrating cross-tenant telemetry from the connected Prometheus instance. Replace the f-string with `_quote_promql_string_literal`, which uses `json.dumps` to render a complete Go-compatible double-quoted literal. PromQL string literals follow Go's escape rules per https://prometheus.io/docs/prometheus/latest/querying/basics/, and JSON's quoting is a strict subset, so the same escape covers backslash, embedded quote, and control-character cases without rolling a bespoke escape table. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
In total litellm runs 1000+ tests
[02/20/2025] Update:
To make it easier to contribute and map what behavior is tested,
we've started mapping the litellm directory in tests/test_litellm
This folder can only run mock tests.