Merge pull request from GHSA-v86x-5fm3-5p7j

Check the validity of the generatorURL field
prometheus · Aug 23, 2023 · 8b9f2fd · 8b9f2fd
2 parents 258fab7 + 48314e3
commit 8b9f2fd
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.25.1 / 2023-08-23
+
+* [BUGFIX] Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI.
+
 ## 0.25.0 / 2022-12-22
 
 * [CHANGE] Change the default `parse_mode` value from `MarkdownV2` to `HTML` for Telegram. #2981

diff --git a/asset/assets_vfsdata.go b/asset/assets_vfsdata.go
diff --git a/ui/app/src/Views/Shared/Alert.elm b/ui/app/src/Views/Shared/Alert.elm
@@ -45,8 +45,12 @@ titleView alert =
 
 generatorUrlButton : String -> Html msg
 generatorUrlButton url =
-    a
-        [ class "btn btn-outline-info border-0", href url ]
-        [ i [ class "fa fa-line-chart mr-2" ] []
-        , text "Source"
-        ]
+    if String.startsWith "http://" url || String.startsWith "https://" url then
+        a
+            [ class "btn btn-outline-info border-0", href url ]
+            [ i [ class "fa fa-line-chart mr-2" ] []
+            , text "Source"
+            ]
+
+    else
+        text ""