Add a shared secret to prevent abuse of the alert endpoint
For more context, please see: https://gitlab.com/gitlab-org/gitlab-ee/issues/7528
Currently we generate emails when an alert is triggered, to members of the project. However we currently do not have validation on that endpoint, which means an attacker could cause false notification emails to be generated.
We should add a shared secret, provisioned between Prometheus and GitLab, which we validate to ensure the alert notification is actually being generated by Prometheus and is valid.
Proposal
-
When an alert is configured in the UI, we today update the Prometheus configuration. As part of this process, we set the webhook URL that Prometheus should call.
-
To add a shared secret, we can simply add a new
secret
label to the alert and store the contents somewhere in the database. (Maybe in the record where we store the alert details itself?) -
Then when a alert fires, Prometheus will include all alert labels: https://prometheus.io/docs/alerting/configuration/#%3Cwebhook_config%3E
-
GitLab can then match the
gitlab_alert_id
andsecret
values, and only if they match, trigger the alert.
Fix
Security issue: https://dev.gitlab.org/gitlab/gitlab-ee/issues/359