Skip to content

config.SecretURL type returns Json.Unmarshal() error which can expose the secret url. #3884

New issue
New issue
Closed
#3887
Closed
config.SecretURL type returns Json.Unmarshal() error which can expose the secret url.#3884
#3887
@codeknight03

Description

@codeknight03
codeknight03
opened on Jun 19, 2024

What did you do?
While running an alertmanager instance using the Alertmanager CRD exposed by Prometheus Operator, we discovered that when UnmarshalJSON() method of SecretURL type is called it returns the url itself as part of the error.
What did you expect to see?
The secret URL should not have been logged as part of the error.
What did you see instead? Under which circumstances?
The secret URL was logged as part of error for parsing a wrong URL.

Environment

  • System information:
    Linux 5.15.153.1-microsoft-standard-WSL2 x86_64

  • Alertmanager version:
    alertmanager, version 0.27.0 (branch: main, revision: 730bd75)
    build user: codeknight@LAPTOP-VI2SBH3S
    build date: 20240619-18:46:55
    go version: go1.22.0
    platform: linux/amd64
    tags: netgo

  • Prometheus version:

  • Alertmanager configuration file:

inhibitRules:
  - equal:
    - alertname
    sourceMatch:
    - name: 'severity'
      value: 'critical'
      matchType: '='
    targetMatch:
    - name: 'severity'
      value: 'warning'
      matchType: '='
  receivers:
  - name: SlackAlerts
    slackConfigs:
      - channel: '#slack-channel-example'
        apiURL:
          name: slack-api-secret
          key: url
        sendResolved: true
  route:
    receiver: 'SlackAlerts'
    groupBy: [cluster_short, alertname]
    groupWait: 60s
    groupInterval: 15m
    repeatInterval: 4h
    continue: true
  • Prometheus configuration file:
Not relevant
  • Logs:
    Logs from the prometheus operator rather than from the alertmanager itself while using config.SecretURL as the type for the URL.
level=warn ts=2024-06-19T19:33:29.629989322Z caller=operator.go:1003 component=alertmanager-controller msg="skipping alertmanagerconfig" error="slack api 'url' secret failed validation: validate url from string failed with error: parse \"://mywrongurl.com\": missing protocol scheme" alertmanagerconfig=test/slack-receivertest namespace=test alertmanager=testalertmanager
level=info ts=2024-06-19T19:33:29.633045784Z caller=operator.go:796 component=alertmanager-controller alertmanager=testalertmanager namespace=test msg="config secret not found, using default Alertmanager configuration" secret=alertmanager-testalertmanager

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions