Are users safe to use GFM in alert payload?
Problem
In https://gitlab.slack.com/archives/CK06WE78S/p1591112806038100 (internal) @smcgivern linked a suspicious log entry for a firing alert processed by IncidentManagement::ProcessAlertWorker.
Note
"description"=>""Question
Is GitLab's Alert (~"Category:Alert Management", Category:Incident Management) functionality vulnerable to GitLab Flavored Markdown (GFM) some kind of attacks (here path traversal).
Assumption
We are safe.
An incoming alert payload can trigger the following actions:
- Via Prometheus alert endpoint and the
Prometheus::NotifyService-
✔ Create alerts for ~"Category:Alert Management" viaAlertManagement::ProcessPrometheusAlertServicewhich does not support GFM (yet) -
✔ Persist alert events viaAlerts::CreateEventsServicewhich not storing the actual content but just the project id and fingerprint -
✔ Send emails viaprometheus_alerts_firedwhich does not support GFM -
✔ Create issues for Category:Incident Management viaIncidentManagement::ProcessPrometheusAlertWorkerwhich passes title and description toIssuewhich support the complete and safe GFM pipeline
-
- Via Generic alert endpoint and
Alerting::NotifyService-
✔ Send emails viaprometheus_alerts_firedwhich does not support GFM -
✔ UsesIncidentManagement::ProcessAlertWorkerto- Create alerts for ~"Category:Alert Management" which does not support GFM (yet)
- Create issue for Category:Incident Management which passes title and description to
Issuewhich support the complete and safe GFM pipeline
-
Proof
Via https://gitlab.com/gitlab-org/monitor/tanuki-inc/.
| Alert Management | Issue | |
|---|---|---|
 no GFM support |
 malicious link pointing to https://gitlab.com/path/traversal
|
 no GFM support |
Edited by Peter Leitzen