Merge pull request from GHSA-vx57-7f4q-fpc7

* Do not remove /new because it is not part of the route parameter (CVE-2021-29622)

Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>

* Release 2.27.1

Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>
This commit is contained in:
Julien Pivotto 2021-05-18 14:47:45 +02:00 committed by GitHub
parent 24c9b61221
commit db7f0bcec2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 14 additions and 2 deletions

View file

@ -1,3 +1,15 @@
## 2.27.1 / 2021-05-18
This release contains a bug fix for a security issue in the API endpoint. An
attacker can craft a special URL that redirects a user to any endpoint via an
HTTP 302 response. See the [security advisory][GHSA-vx57-7f4q-fpc7] for more details.
[GHSA-vx57-7f4q-fpc7]:https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
This vulnerability has been reported by Aaron Devaney from MDSec.
* [BUGFIX] SECURITY: Fix arbitrary redirects under the /new endpoint (CVE-2021-29622)
## 2.27.0 / 2021-05-12 ## 2.27.0 / 2021-05-12
* [FEATURE] Promtool: Retroactive rule evaluation functionality. #7675 * [FEATURE] Promtool: Retroactive rule evaluation functionality. #7675

View file

@ -1 +1 @@
2.27.0 2.27.1

View file

@ -354,7 +354,7 @@ func New(logger log.Logger, o *Options) *Handler {
// Redirect the original React UI's path (under "/new") to its new path at the root. // Redirect the original React UI's path (under "/new") to its new path at the root.
router.Get("/new/*path", func(w http.ResponseWriter, r *http.Request) { router.Get("/new/*path", func(w http.ResponseWriter, r *http.Request) {
p := route.Param(r.Context(), "path") p := route.Param(r.Context(), "path")
http.Redirect(w, r, path.Join(o.ExternalURL.Path, strings.TrimPrefix(p, "/new"))+"?"+r.URL.RawQuery, http.StatusFound) http.Redirect(w, r, path.Join(o.ExternalURL.Path, p)+"?"+r.URL.RawQuery, http.StatusFound)
}) })
router.Get("/classic/alerts", readyf(h.alerts)) router.Get("/classic/alerts", readyf(h.alerts))