security: fix stored XSS in alertmanager and storegateway status pages (#7512)

danielblando · friedrichg · web-flow · commit af9c40c2158e · 2026-05-12T15:11:06.000-07:00
* security: fix stored XSS in alertmanager and storegateway status pages Replace text/template with html/template in alertmanager_http.go and gateway_http.go to auto-escape HTML special characters. This prevents stored XSS via crafted gossip member names rendered on status pages. The html/template package has an identical API to text/template but automatically escapes HTML, JS, and URI contexts. Add TestStatusHandler_HTMLEscaping to verify XSS payloads are escaped. Fixes #22 Signed-off-by: Daniel Blando <ddeluigg@amazon.com> * Fix lint Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> * changelog Signed-off-by: Daniel Blando <ddeluigg@amazon.com> --------- Signed-off-by: Daniel Blando <ddeluigg@amazon.com> Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> Co-authored-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -34,6 +34,7 @@
 * [BUGFIX] Config: Mask Swift, etcd, Redis, and HTTP basic-auth credentials on the `/config` endpoint. #7473
 * [BUGFIX] Memberlist: Drop incoming TCP transport packets when digest verification fails, preventing corrupted payloads from being forwarded. #7474
 * [BUGFIX] Compactor: Fix stale `cortex_bucket_index_last_successful_update_timestamp_seconds` metric not being cleaned up when tenant ownership changes due to ring rebalancing. This caused false alarms on bucket index update rate when a tenant moved between compactors. #7485
+* [BUGFIX] Security: Fix stored XSS vulnerability in Alertmanager and Store Gateway status pages by replacing `text/template` with `html/template`. #7512
 
 ## 1.21.0 2026-04-24
 
diff --git a/pkg/alertmanager/alertmanager_http.go b/pkg/alertmanager/alertmanager_http.go
@@ -1,8 +1,8 @@
 package alertmanager
 
 import (
+	"html/template"
 	"net/http"
-	"text/template"
 
 	"github.com/go-kit/log/level"
 
diff --git a/pkg/alertmanager/alertmanager_http_test.go b/pkg/alertmanager/alertmanager_http_test.go
@@ -1,6 +1,7 @@
 package alertmanager
 
 import (
+	"bytes"
 	"io"
 	"net/http/httptest"
 	"testing"
@@ -12,6 +13,32 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func TestStatusHandler_HTMLEscaping(t *testing.T) {
+	// Verify that html/template escapes XSS payloads in the status page.
+	xssPayload := `<script>alert("xss")</script>`
+
+	var buf bytes.Buffer
+	err := statusTemplate.Execute(&buf, struct {
+		ClusterInfo map[string]any
+	}{
+		ClusterInfo: map[string]any{
+			"self": map[string]any{
+				"Name": xssPayload,
+				"Addr": "127.0.0.1",
+				"Port": "9094",
+			},
+			"members": []map[string]any{
+				{"Name": xssPayload, "Addr": "127.0.0.1:9094"},
+			},
+		},
+	})
+	require.NoError(t, err)
+
+	content := buf.String()
+	require.NotContains(t, content, xssPayload, "XSS payload must be escaped by html/template")
+	require.Contains(t, content, "&lt;script&gt;", "HTML special characters must be escaped")
+}
+
 func TestMultitenantAlertmanager_GetStatusHandler(t *testing.T) {
 	ctx := t.Context()
 	var peer *cluster.Peer
diff --git a/pkg/storegateway/gateway_http.go b/pkg/storegateway/gateway_http.go
@@ -1,8 +1,8 @@
 package storegateway
 
 import (
+	"html/template"
 	"net/http"
-	"text/template"
 
 	"github.com/go-kit/log/level"
 
