Skip to content

security: fix stored XSS in alertmanager and storegateway status pages #7512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
danielblando merged 3 commits into from
May 12, 2026
+30 −2
Merged

security: fix stored XSS in alertmanager and storegateway status pages #7512

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6ae4579
security: fix stored XSS in alertmanager and storegateway status pages
danielblando Apr 30, 2026
82ff984
Fix lint
friedrichg May 2, 2026
ec12938
changelog
danielblando May 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
* [BUGFIX] Config: Mask Swift, etcd, Redis, and HTTP basic-auth credentials on the `/config` endpoint. #7473
* [BUGFIX] Memberlist: Drop incoming TCP transport packets when digest verification fails, preventing corrupted payloads from being forwarded. #7474
* [BUGFIX] Compactor: Fix stale `cortex_bucket_index_last_successful_update_timestamp_seconds` metric not being cleaned up when tenant ownership changes due to ring rebalancing. This caused false alarms on bucket index update rate when a tenant moved between compactors. #7485
* [BUGFIX] Security: Fix stored XSS vulnerability in Alertmanager and Store Gateway status pages by replacing `text/template` with `html/template`. #7512

## 1.21.0 2026-04-24

Expand Down
2 changes: 1 addition & 1 deletion pkg/alertmanager/alertmanager_http.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
package alertmanager

import (
"html/template"
"net/http"
"text/template"

"github.com/go-kit/log/level"

Expand Down
27 changes: 27 additions & 0 deletions pkg/alertmanager/alertmanager_http_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package alertmanager

import (
"bytes"
"io"
"net/http/httptest"
"testing"
Expand All @@ -12,6 +13,32 @@ import (
"github.com/stretchr/testify/require"
)

func TestStatusHandler_HTMLEscaping(t *testing.T) {
// Verify that html/template escapes XSS payloads in the status page.
xssPayload := `<script>alert("xss")</script>`

var buf bytes.Buffer
err := statusTemplate.Execute(&buf, struct {
ClusterInfo map[string]any
}{
ClusterInfo: map[string]any{
"self": map[string]any{
"Name": xssPayload,
"Addr": "127.0.0.1",
"Port": "9094",
},
"members": []map[string]any{
{"Name": xssPayload, "Addr": "127.0.0.1:9094"},
},
},
})
require.NoError(t, err)

content := buf.String()
require.NotContains(t, content, xssPayload, "XSS payload must be escaped by html/template")
require.Contains(t, content, "&lt;script&gt;", "HTML special characters must be escaped")
}

func TestMultitenantAlertmanager_GetStatusHandler(t *testing.T) {
ctx := t.Context()
var peer *cluster.Peer
Expand Down
2 changes: 1 addition & 1 deletion pkg/storegateway/gateway_http.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
package storegateway

import (
"html/template"
"net/http"
"text/template"

"github.com/go-kit/log/level"

Expand Down
Loading