Actually proxy the query string too

agent/ui_endpoint.go

@@ -589,6 +589,9 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques
 	// double slashes etc.
 	u.Path = path.Clean(u.Path)
 
+	// Pass through query params
+	u.RawQuery = req.URL.RawQuery
+
 	// Validate that the full BaseURL is still a prefix - if there was a path
 	// prefix on the BaseURL but an attacker tried to circumvent it with path
 	// traversal then the Clean above would have resolve the /../ components back
@@ -613,6 +616,8 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques
 		req.Header.Set(h.Name, h.Value)
 	}
 
+	log.Debug("proxying request", "to", u.String())
+
 	proxy := httputil.ReverseProxy{
 		Director: func(r *http.Request) {
 			r.URL = u

agent/ui_endpoint_test.go

@@ -1566,6 +1566,10 @@ func TestUIEndpoint_MetricsProxy(t *testing.T) {
 			w.Write([]byte("OK"))
 			return
 		}
+		if r.URL.Path == "/some/prefix/query-echo" {
+			w.Write([]byte("RawQuery: " + r.URL.RawQuery))
+			return
+		}
 		if r.URL.Path == "/.passwd" {
 			w.Write([]byte("SECRETS!"))
 			return
@@ -1680,6 +1684,16 @@ func TestUIEndpoint_MetricsProxy(t *testing.T) {
 				"Authorization":       "SECRET_KEY",
 			},
 		},
+		{
+			name: "passes through query params",
+			config: config.UIMetricsProxy{
+				BaseURL: backendURL,
+			},
+			// encoded=test[0]&&test[1]==!@£$%^
+			path:         endpointPath + "/query-echo?foo=bar&encoded=test%5B0%5D%26%26test%5B1%5D%3D%3D%21%40%C2%A3%24%25%5E",
+			wantCode:     http.StatusOK,
+			wantContains: "RawQuery: foo=bar&encoded=test%5B0%5D%26%26test%5B1%5D%3D%3D%21%40%C2%A3%24%25%5E",
+		},
 	}
 
 	for _, tc := range cases {