Skip to content

security: fix stored XSS in alertmanager and storegateway status pages#7512

Merged
danielblando merged 3 commits into
cortexproject:masterfrom
danielblando:fix/xss-text-template-to-html-template
May 12, 2026
Merged

security: fix stored XSS in alertmanager and storegateway status pages#7512
danielblando merged 3 commits into
cortexproject:masterfrom
danielblando:fix/xss-text-template-to-html-template

Conversation

@danielblando
Copy link
Copy Markdown
Contributor

@danielblando danielblando commented May 12, 2026
edited
Loading

What this PR does

Fixes a stored XSS vulnerability in the Alertmanager and Store Gateway HTTP status pages by replacing text/template with html/template.

Fix

Replace text/template with html/template in:

  • pkg/alertmanager/alertmanager_http.go
  • pkg/storegateway/gateway_http.go

html/template automatically escapes values in HTML context, preventing script injection.

Testing

Added pkg/alertmanager/alertmanager_http_test.go test that verifies HTML-special characters in tenant IDs are properly escaped in the rendered output.

danielblando and others added 2 commits May 12, 2026 14:20
@danielblando
security: fix stored XSS in alertmanager and storegateway status pages
6ae4579 
Replace text/template with html/template in alertmanager_http.go and
gateway_http.go to auto-escape HTML special characters. This prevents
stored XSS via crafted gossip member names rendered on status pages.

The html/template package has an identical API to text/template but
automatically escapes HTML, JS, and URI contexts.

Add TestStatusHandler_HTMLEscaping to verify XSS payloads are escaped.

Fixes #22

Signed-off-by: Daniel Blando <ddeluigg@amazon.com>
@friedrichg @danielblando
Fix lint
82ff984 
Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
@danielblando
changelog
ec12938 
Signed-off-by: Daniel Blando <ddeluigg@amazon.com>
@danielblando danielblando force-pushed the fix/xss-text-template-to-html-template branch from 284c0d3 to ec12938 Compare May 12, 2026 21:23
@dosubot dosubot Bot added the lgtm This PR has been approved by a maintainer label May 12, 2026
@friedrichg
Copy link
Copy Markdown
Member

friedrichg commented May 12, 2026

Thanks!

@danielblando danielblando merged commit af9c40c into cortexproject:master May 12, 2026
67 of 69 checks passed
@danielblando danielblando deleted the fix/xss-text-template-to-html-template branch May 12, 2026 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@friedrichg friedrichg friedrichg approved these changes

Assignees

No one assigned

Labels

component/alertmanager component/store-gateway lgtm This PR has been approved by a maintainer size/M type/security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danielblando @friedrichg