From 55d41b6870f8e50166e40e7bdb2b6db5b5b74892 Mon Sep 17 00:00:00 2001 From: Yexiang Zhang Date: Wed, 25 Sep 2024 15:24:40 +0800 Subject: [PATCH] clusterinfo: fix ssrf on /topology/alertmanager/{address}/count (#1738) Signed-off-by: mornyx --- pkg/apiserver/clusterinfo/service.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pkg/apiserver/clusterinfo/service.go b/pkg/apiserver/clusterinfo/service.go index 97eda4e06..f506edbee 100644 --- a/pkg/apiserver/clusterinfo/service.go +++ b/pkg/apiserver/clusterinfo/service.go @@ -291,6 +291,23 @@ func (s *Service) getGrafanaTopology(c *gin.Context) { // @Failure 401 {object} rest.ErrorResponse func (s *Service) getAlertManagerCounts(c *gin.Context) { address := c.Param("address") + if address == "" { + rest.Error(c, rest.ErrBadRequest.New("address is empty")) + return + } + info, err := topology.FetchAlertManagerTopology(c.Request.Context(), s.params.EtcdClient) + if err != nil { + rest.Error(c, err) + return + } + if info == nil { + rest.Error(c, rest.ErrBadRequest.New("alertmanager not found")) + return + } + if address != fmt.Sprintf("%s:%d", info.IP, info.Port) { + rest.Error(c, rest.ErrBadRequest.New("address not match")) + return + } cnt, err := fetchAlertManagerCounts(s.lifecycleCtx, address, s.params.HTTPClient) if err != nil { rest.Error(c, err)