apply security patch: release-11.6.3/431-202505231801.patch

2025-06-16 12:33:19 +00:00 · 2025-06-16 12:33:19 +00:00 · 66f32f6e08
parent d48d89e993
commit 66f32f6e08
5 changed files with 59 additions and 7 deletions
--- a/pkg/services/ngalert/notifier/alertmanager.go
+++ b/pkg/services/ngalert/notifier/alertmanager.go
@ -398,6 +398,10 @@ func (am *alertmanager) AppURL() string {

 // buildReceiverIntegrations builds a list of integration notifiers off of a receiver config.
 func (am *alertmanager) buildReceiverIntegrations(receiver *alertingNotify.APIReceiver, tmpl *alertingTemplates.Template) ([]*alertingNotify.Integration, error) {
+	err := patchNewSecureFields(context.Background(), receiver, alertingNotify.DecodeSecretsFromBase64, am.decryptFn)
+	if err != nil {
+		return nil, err
+	}
 	receiverCfg, err := alertingNotify.BuildReceiverConfiguration(context.Background(), receiver, alertingNotify.DecodeSecretsFromBase64, am.decryptFn)
 	if err != nil {
 		return nil, err
@ -422,6 +426,50 @@ func (am *alertmanager) buildReceiverIntegrations(receiver *alertingNotify.APIRe
 	return integrations, nil
 }

+func patchNewSecureFields(ctx context.Context, api *alertingNotify.APIReceiver, decode alertingNotify.DecodeSecretsFn, decrypt alertingNotify.GetDecryptedValueFn) error {
+	for _, integration := range api.Integrations {
+		switch integration.Type {
+		case "dingding":
+			err := patchSettingsFromSecureSettings(ctx, integration, "url", decode, decrypt)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func patchSettingsFromSecureSettings(ctx context.Context, integration *alertingNotify.GrafanaIntegrationConfig, key string, decode alertingNotify.DecodeSecretsFn, decrypt alertingNotify.GetDecryptedValueFn) error {
+	if _, ok := integration.SecureSettings[key]; !ok {
+		return nil
+	}
+	decoded, err := decode(integration.SecureSettings)
+	if err != nil {
+		return err
+	}
+	settings := map[string]any{}
+	err = json.Unmarshal(integration.Settings, &settings)
+	if err != nil {
+		return err
+	}
+	currentValue, ok := settings[key]
+	currentString := ""
+	if ok {
+		currentString, _ = currentValue.(string)
+	}
+	secretValue := decrypt(ctx, decoded, key, currentString)
+	if secretValue == currentString {
+		return nil
+	}
+	settings[key] = secretValue
+	data, err := json.Marshal(settings)
+	if err != nil {
+		return err
+	}
+	integration.Settings = data
+	return nil
+}
+
 // PutAlerts receives the alerts and then sends them through the corresponding route based on whenever the alert has a receiver embedded or not
 func (am *alertmanager) PutAlerts(_ context.Context, postableAlerts apimodels.PostableAlerts) error {
 	alerts := make(alertingNotify.PostableAlerts, 0, len(postableAlerts.PostableAlerts))
--- a/pkg/services/ngalert/notifier/channels_config/available_channels.go
+++ b/pkg/services/ngalert/notifier/channels_config/available_channels.go
@ -127,6 +127,7 @@ func GetAvailableNotifiers() []*NotifierPlugin {
 					Placeholder:  "https://oapi.dingtalk.com/robot/send?access_token=xxxxxxxxx",
 					PropertyName: "url",
 					Required:     true,
+					Secure:       true,
 				},
 				{
 					Label:        "Message Type",
--- a/pkg/services/ngalert/notifier/channels_config/available_channels_test.go
+++ b/pkg/services/ngalert/notifier/channels_config/available_channels_test.go
@ -11,7 +11,7 @@ func TestGetSecretKeysForContactPointType(t *testing.T) {
 		receiverType         string
 		expectedSecretFields []string
 	}{
-		{receiverType: "dingding", expectedSecretFields: []string{}},
+		{receiverType: "dingding", expectedSecretFields: []string{"url"}},
 		{receiverType: "kafka", expectedSecretFields: []string{"password"}},
 		{receiverType: "email", expectedSecretFields: []string{}},
 		{receiverType: "pagerduty", expectedSecretFields: []string{"integrationKey"}},
--- a/pkg/services/ngalert/notifier/testreceivers.go
+++ b/pkg/services/ngalert/notifier/testreceivers.go
@ -23,12 +23,17 @@ func (am *alertmanager) TestReceivers(ctx context.Context, c apimodels.TestRecei
 				SecureSettings:        gr.SecureSettings,
 			})
 		}
-		receivers = append(receivers, &alertingNotify.APIReceiver{
+		recv := &alertingNotify.APIReceiver{
 			ConfigReceiver: r.Receiver,
 			GrafanaIntegrations: alertingNotify.GrafanaIntegrations{
 				Integrations: integrations,
 			},
-		})
+		}
+		err := patchNewSecureFields(ctx, recv, alertingNotify.DecodeSecretsFromBase64, am.decryptFn)
+		if err != nil {
+			return nil, 0, err
+		}
+		receivers = append(receivers, recv)
 	}
 	var alert *alertingNotify.TestReceiversConfigAlertParams
 	if c.Alert != nil {
--- a/pkg/tests/api/alerting/api_notification_channel_test.go
+++ b/pkg/tests/api/alerting/api_notification_channel_test.go
@ -2146,10 +2146,8 @@ var expAlertmanagerConfigFromAPI = `
            "name": "dingding_test",
            "type": "dingding",
            "disableResolveMessage": false,
-            "settings": {
-              "url": "http://CHANNEL_ADDR/dingding_recv/dingding_test"
-            },
-            "secureFields": {}
+            "settings": {},
+            "secureFields": {"url": true}
          }
        ]
      },