Skip to content

[SECURITY]: console web hardening (SSRF / CSRF / exposure / supply chain) #369

Description

@ELares

Part of #352. SECURITY. The console is a web UI that proxies Prometheus (/api/timeseries) and talks to internal nodes - the exact pattern behind real Grafana full-read-SSRF + account-takeover CVEs (CVE-2025-4123, CVE-2025-8341). Plus CSRF/session/exposure/supply-chain surface from a new binary + frontend.

Scope

  • SSRF: the Prometheus base URL and node targets come ONLY from server-side config/discovery, NEVER from request input. Allowlist the Prometheus host + the PromQL surface (no arbitrary query=/url= passthrough). Egress-restrict the console host (it may reach only Prometheus + node ports). Block redirects + internal IP ranges on any outbound fetch.
  • Exposure: the console is NOT internet-exposed. VPN-only, SG-locked ALB on a control-plane subnet (mirror the existing thanos.butlr.io pattern: ALB SG locked to Perimeter81), reachable by operators but not from the data-client network. Also note: the prod node RESP port is open to 0.0.0.0/0 and plaintext - see the connection-security work in [TASK]: console per-node data acquisition (INFO/CLUSTER/SLOWLOG/CLIENT over RESP) #355.
  • Session/CSRF: secure+HttpOnly+SameSite cookies; a per-request CSRF token (or a non-cookie auth header) for all state-changing calls; short session TTL; step-up re-auth for the admin role.
  • Supply chain: extend cargo-deny to the console crate; npm lockfile + audit + Subresource-Integrity; keyless attestation on both tarballs (as the engine already does); strict CSP on the SPA to blunt XSS to SSRF chaining.

Acceptance

A documented threat model + the above controls verified: the console is unreachable from the internet; no request-controlled URL reaches an internal fetch; state-changing calls are CSRF-protected; admin actions require step-up auth; the frontend ships with a CSP + SRI + pinned deps.

Relates to: #360, #364, #363.

Metadata

Metadata

Assignees

No one assigned

    Labels

    consoleIronCache Console (dashboard / UI server)sub-issueGranular child task split out from a parent design issue

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions