From cec6cfd9a8c3f064cc4265733dfa0ca6143d6043 Mon Sep 17 00:00:00 2001
From: Anthony Quiros <anthony.quiros@tripica.com>
Date: Thu, 6 Oct 2022 18:26:23 +0200
Subject: [PATCH 1/8] Fixing typo in documentation (apache) (#2777)

(cherry picked from commit d6bda76332381a2ff8487efb46f386ad7c6e9bda)
---
 docs/config-webapp.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/config-webapp.rst b/docs/config-webapp.rst
index 880738ef1..8daf1adeb 100644
--- a/docs/config-webapp.rst
+++ b/docs/config-webapp.rst
@@ -323,7 +323,7 @@ Finally, configure the nginx vhost:
         listen 80;
 
         location /static/ {
-            alias /opt/graphite/webapp/content/;
+            alias /opt/graphite/webapp/content/
         }
 
         location / {

From 0a77f9c2ff77cd3b889a6139ab1c18c1d80f5a83 Mon Sep 17 00:00:00 2001
From: Jan Szopinski <jszopi@users.noreply.github.com>
Date: Thu, 6 Oct 2022 16:48:58 +0100
Subject: [PATCH 2/8] Remove old comment (#2781)

(cherry picked from commit 00741ac2e09e24b1cb0d5c090b5707d7d387c931)
---
 webapp/graphite/render/functions.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/webapp/graphite/render/functions.py b/webapp/graphite/render/functions.py
index 14794aac8..308116e34 100644
--- a/webapp/graphite/render/functions.py
+++ b/webapp/graphite/render/functions.py
@@ -4002,7 +4002,6 @@ def holtWintersDeviation(gamma,actual,prediction,last_seasonal_dev):
 def holtWintersAnalysis(series, seasonality='1d'):
   alpha = gamma = 0.1
   beta = 0.0035
-  # season is currently one day
   seasonality_time = parseTimeOffset(seasonality)
   season_length = (seasonality_time.seconds + (seasonality_time.days * 86400)) // series.step
   intercept = 0

From f58586a2d826ddf4c0adf04d58d44ccf73c6fb51 Mon Sep 17 00:00:00 2001
From: Michail Safronov <msaf1980@gmail.com>
Date: Wed, 26 Oct 2022 17:53:57 +0500
Subject: [PATCH 3/8] Sanitize error output for prevent XSS security issues
 (#2782)

* tests for XSS

* sanitize error output for prevent XSS issues

(cherry picked from commit 9c626006eea36a9fd785e8f811359aebc9774970)
---
 webapp/graphite/errors.py | 11 +++++++++-
 webapp/tests/base.py      | 12 +++++++++++
 webapp/tests/test_xss.py  | 42 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 webapp/tests/test_xss.py

diff --git a/webapp/graphite/errors.py b/webapp/graphite/errors.py
index 289541798..144946309 100644
--- a/webapp/graphite/errors.py
+++ b/webapp/graphite/errors.py
@@ -94,6 +94,15 @@ def __str__(self):
         return msg
 
 
+# Replace special characters "&", "<" and ">" to HTML-safe sequences.
+def escape(s):
+    s = s.replace("&", "&amp;")  # Must be done first!
+    s = s.replace("<", "&lt;")
+    s = s.replace(">", "&gt;")
+
+    return s
+
+
 # decorator which turns InputParameterExceptions into Django's HttpResponseBadRequest
 def handleInputParameterError(f):
     def new_f(*args, **kwargs):
@@ -102,6 +111,6 @@ def new_f(*args, **kwargs):
         except InputParameterError as e:
             msgStr = str(e)
             log.warning('%s', msgStr)
-            return HttpResponseBadRequest(msgStr)
+            return HttpResponseBadRequest(escape(msgStr))
 
     return new_f
diff --git a/webapp/tests/base.py b/webapp/tests/base.py
index 3039513cc..512e1e6d3 100644
--- a/webapp/tests/base.py
+++ b/webapp/tests/base.py
@@ -5,3 +5,15 @@
 class TestCase(OriginalTestCase):
     def tearDown(self):
         stop_pools()
+
+    # Assert that a response is unsanitized (for check XSS issues)
+    def assertXSS(self, response, status_code=200, msg_prefix=''):
+        if status_code is not None:
+            self.assertEqual(
+                response.status_code, status_code,
+                msg_prefix + "Couldn't retrieve content: Response code was %d"
+                " (expected %d)" % (response.status_code, status_code)
+            )
+
+        xss = response.content.find(b"<") != -1 or response.content.find(b">") != -1
+        self.assertFalse(xss, msg=msg_prefix+str(response.content))
diff --git a/webapp/tests/test_xss.py b/webapp/tests/test_xss.py
new file mode 100644
index 000000000..7a3a2c9b7
--- /dev/null
+++ b/webapp/tests/test_xss.py
@@ -0,0 +1,42 @@
+import logging
+import sys
+
+try:
+    from django.urls import reverse
+except ImportError:  # Django < 1.10
+    from django.core.urlresolvers import reverse
+
+from .base import TestCase
+
+# Silence logging during tests
+LOGGER = logging.getLogger()
+
+# logging.NullHandler is a python 2.7ism
+if hasattr(logging, "NullHandler"):
+    LOGGER.addHandler(logging.NullHandler())
+
+if sys.version_info[0] >= 3:
+    def resp_text(r):
+        return r.content.decode('utf-8')
+else:
+    def resp_text(r):
+        return r.content
+
+
+class RenderXSSTest(TestCase):
+    def test_render_xss(self):
+        url = reverse('render')
+        xssStr = '<noscript><p title="</noscript><img src=x onerror=alert() onmouseover=alert()>">'
+
+        # Check for issue #2779 and others
+        response = self.client.get(url, {'target': 'test', 'format': 'raw', 'cacheTimeout': xssStr, 'from': xssStr})
+        self.assertXSS(response, status_code=400, msg_prefix='XSS detected: ')
+
+
+class FindXSSTest(TestCase):
+    def test_render_xss(self):
+        url = reverse('metrics_find')
+        xssStr = '<noscript><p title="</noscript><img src=x onerror=alert() onmouseover=alert()>">'
+
+        response = self.client.get(url, {'query': 'test', 'local': xssStr, 'from': xssStr, 'tz': xssStr})
+        self.assertXSS(response, status_code=400, msg_prefix='XSS detected: ')

From 39aa3cf1afa7cd8eacbeb672c55d9ba60574cf3d Mon Sep 17 00:00:00 2001
From: Jon Nangle <jon.nangle@gmail.com>
Date: Wed, 26 Oct 2022 13:07:56 +0100
Subject: [PATCH 4/8] Avoid infinite loop on summarize() (#2784)

(cherry picked from commit 7b120263779ed35eed8b63f7cce1a66473471823)
---
 webapp/graphite/render/functions.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/webapp/graphite/render/functions.py b/webapp/graphite/render/functions.py
index 14794aac8..2864ee237 100644
--- a/webapp/graphite/render/functions.py
+++ b/webapp/graphite/render/functions.py
@@ -5391,6 +5391,9 @@ def summarize(requestContext, seriesList, intervalString, func='sum', alignToFro
 
 
 def _summarizeValues(series, func, interval, newStart=None, newEnd=None):
+  if interval == 0:
+    raise InputParameterError("_summarizeValues(): interval parsed to 0")
+
   if newStart is None:
     newStart = series.start
   if newEnd is None:

From ef5235442e36ebeef3171fcaee593c3146eafe8c Mon Sep 17 00:00:00 2001
From: Denis Zhdanov <denis.zhdanov@gmail.com>
Date: Sun, 6 Nov 2022 19:22:12 +0100
Subject: [PATCH 5/8] Fix issue with too small season length (#2780) (#2787)

(cherry picked from commit 90076f6c60060399a6a3ce0ffc929a1ccc086325)
---
 webapp/graphite/render/functions.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/webapp/graphite/render/functions.py b/webapp/graphite/render/functions.py
index 14794aac8..45623e33a 100644
--- a/webapp/graphite/render/functions.py
+++ b/webapp/graphite/render/functions.py
@@ -4005,6 +4005,9 @@ def holtWintersAnalysis(series, seasonality='1d'):
   # season is currently one day
   seasonality_time = parseTimeOffset(seasonality)
   season_length = (seasonality_time.seconds + (seasonality_time.days * 86400)) // series.step
+  # season_length should be 2 or more
+  if season_length < 2:
+    season_length = 2
   intercept = 0
   slope = 0
   intercepts = list()

From caccd00c1d299a04359bb8662ca3de2cd5623f41 Mon Sep 17 00:00:00 2001
From: Michail Safronov <msaf1980@gmail.com>
Date: Tue, 13 Dec 2022 21:28:01 +0500
Subject: [PATCH 6/8] =?UTF-8?q?=D0=A1heck=20applyByNode=20nodeNum=20arg=20?=
 =?UTF-8?q?(#2792)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* check applyByNode nodeNum arg

* fix flapping test

(cherry picked from commit 02bc0c836269e07b38175fbfe3b5689afc87b4fa)
---
 webapp/graphite/render/functions.py |  5 ++++-
 webapp/tests/test_functions.py      | 34 ++++++++++++++++++++++++++++-
 webapp/tests/test_readers_multi.py  |  3 ++-
 3 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/webapp/graphite/render/functions.py b/webapp/graphite/render/functions.py
index 14794aac8..8b68d45b8 100644
--- a/webapp/graphite/render/functions.py
+++ b/webapp/graphite/render/functions.py
@@ -5100,7 +5100,10 @@ def applyByNode(requestContext, seriesList, nodeNum, templateFunction, newName=N
   """
   prefixes = set()
   for series in seriesList:
-    prefix = '.'.join(series.name.split('.')[:nodeNum + 1])
+    nodes = series.name.split('.')
+    if nodeNum >= len(nodes):
+        raise InputParameterError("{} do not contans {} nodes".format(series.name, nodeNum))
+    prefix = '.'.join(nodes[:nodeNum + 1])
     prefixes.add(prefix)
   results = []
   newContext = requestContext.copy()
diff --git a/webapp/tests/test_functions.py b/webapp/tests/test_functions.py
index cc92475ca..509514e6d 100644
--- a/webapp/tests/test_functions.py
+++ b/webapp/tests/test_functions.py
@@ -18,7 +18,7 @@
 except ImportError:  # Django < 1.10
     from django.core.urlresolvers import reverse
 
-from graphite.errors import NormalizeEmptyResultError
+from graphite.errors import NormalizeEmptyResultError, InputParameterError
 from graphite.functions import _SeriesFunctions, loadFunctions, safe
 from graphite.render.datalib import TimeSeries
 from graphite.render import functions
@@ -4522,6 +4522,38 @@ def mock_data_fetcher(reqCtx, path_expression):
             )
         self.assertEqual(result, expectedResults)
 
+    @patch('graphite.render.evaluator.prefetchData', lambda *_: None)
+    def test_applyByNode_Overflow(self):
+        seriesList = self._gen_series_list_with_data(
+            key=['servers.s1.disk.bytes_used', 'servers.s1.disk.bytes_free','servers.s2.disk.bytes_used','servers.s2.disk.bytes_free'],
+            start=0,
+            end=3,
+            data=[[10, 20, 30], [90, 80, 70], [1, 2, 3], [99, 98, 97]]
+        )
+
+        def mock_data_fetcher(reqCtx, path_expression):
+            rv = []
+            for s in seriesList:
+                if s.name == path_expression or fnmatch(s.name, path_expression):
+                    rv.append(s)
+            if rv:
+                return rv
+            raise KeyError('{} not found!'.format(path_expression))
+
+        with patch('graphite.render.evaluator.fetchData', mock_data_fetcher):
+            try:
+                functions.applyByNode(
+                    self._build_requestContext(
+                        startTime=datetime(1970, 1, 1, 0, 0, 0, 0, pytz.timezone(settings.TIME_ZONE)),
+                        endTime=datetime(1970, 1, 1, 0, 9, 0, 0, pytz.timezone(settings.TIME_ZONE))
+                    ),
+                    seriesList, 4,
+                    'divideSeries(%.disk.bytes_used, sumSeries(%.disk.bytes_*))'
+                )
+                self.fail('must raise with InputParameterError')
+            except InputParameterError:
+                pass
+
     @patch('graphite.render.evaluator.prefetchData', lambda *_: None)
     def test_applyByNode_newName(self):
         seriesList = self._gen_series_list_with_data(
diff --git a/webapp/tests/test_readers_multi.py b/webapp/tests/test_readers_multi.py
index 76ef5c1a2..6b3503a25 100644
--- a/webapp/tests/test_readers_multi.py
+++ b/webapp/tests/test_readers_multi.py
@@ -86,8 +86,9 @@ def test_MultiReader_get_intervals(self):
         reader = MultiReader([node1, node2])
         intervals = reader.get_intervals()
         for interval in intervals:
-            self.assertEqual(int(interval.start), self.start_ts - 60)
+            self.assertIn(int(interval.start), [self.start_ts - 60, self.start_ts - 60 - 1])
             self.assertIn(int(interval.end), [self.start_ts, self.start_ts - 1])
+            self.assertIn(int(interval.end - interval.start), [59,60])
 
     # Confirm fetch works.
     def test_MultiReader_fetch(self):

From d5cd5dadd9fc142074e63870353da8fe86f0a43e Mon Sep 17 00:00:00 2001
From: Jonathan Milgrom <jbmilgrom@gmail.com>
Date: Thu, 22 Dec 2022 04:02:23 -0800
Subject: [PATCH 7/8] Introduce the term "node" (#2793)

Node appears throughout the documentation. Helpful to expressly place the term "node" with the hierarchal tree/series to better illuminate concepts like groupByNode.

(cherry picked from commit 11d996639ed24499edd9bff55607ed787c316950)
---
 docs/terminology.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/terminology.rst b/docs/terminology.rst
index 8bc2db4e1..06e4cba43 100644
--- a/docs/terminology.rst
+++ b/docs/terminology.rst
@@ -18,6 +18,9 @@ terms mean in the context of Graphite.
 
     metric series
       See :term:`series`
+      
+    node
+      An element of the name of a :term:`series` separated by periods (``.``).
 
     precision
       See :term:`resolution`
@@ -35,7 +38,7 @@ terms mean in the context of Graphite.
 
     series
       A named set of datapoints. A series is identified by a unique name, which is composed of
-      elements separated by periods (``.``) which are used to display the collection of series
+      elements (each, a :term:`node`) separated by periods (``.``) which are used to display the collection of series
       into a hierarchical tree. A series storing system load average on a server called ``apache02``
       in datacenter ``metro_east`` might be named as ``metro_east.servers.apache02.system.load_average``
 

From b20792784eed354304bfc925136ea4c5e544503d Mon Sep 17 00:00:00 2001
From: Denis Zhdanov <denis.zhdanov@gmail.com>
Date: Sun, 19 Feb 2023 18:47:55 +0100
Subject: [PATCH 8/8] Pinning alabaster to 0.7.12 (#2805)

(cherry picked from commit d6a1d2be22623271642d7ed2588cf24690c90edb)

# Conflicts:
#	tox.ini
---
 tox.ini | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tox.ini b/tox.ini
index fd18a64f1..135d1d484 100644
--- a/tox.ini
+++ b/tox.ini
@@ -62,7 +62,8 @@ deps =
 	git+https://github.com/graphite-project/ceres.git#egg=ceres
 	Django<3.2.99
 	pyparsing: pyparsing>=2.3.0,<3.0.0
-	Sphinx<1.4
+	alabaster==0.7.12
+	Sphinx==1.3.6
 	jinja2<3.1.0
 	sphinx_rtd_theme
 	urllib3