You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Part of #352. SECURITY. The console is a web UI that proxies Prometheus (/api/timeseries) and talks to internal nodes - the exact pattern behind real Grafana full-read-SSRF + account-takeover CVEs (CVE-2025-4123, CVE-2025-8341). Plus CSRF/session/exposure/supply-chain surface from a new binary + frontend.
Scope
SSRF: the Prometheus base URL and node targets come ONLY from server-side config/discovery, NEVER from request input. Allowlist the Prometheus host + the PromQL surface (no arbitrary query=/url= passthrough). Egress-restrict the console host (it may reach only Prometheus + node ports). Block redirects + internal IP ranges on any outbound fetch.
Exposure: the console is NOT internet-exposed. VPN-only, SG-locked ALB on a control-plane subnet (mirror the existing thanos.butlr.io pattern: ALB SG locked to Perimeter81), reachable by operators but not from the data-client network. Also note: the prod node RESP port is open to 0.0.0.0/0 and plaintext - see the connection-security work in [TASK]: console per-node data acquisition (INFO/CLUSTER/SLOWLOG/CLIENT over RESP) #355.
Session/CSRF: secure+HttpOnly+SameSite cookies; a per-request CSRF token (or a non-cookie auth header) for all state-changing calls; short session TTL; step-up re-auth for the admin role.
Supply chain: extend cargo-deny to the console crate; npm lockfile + audit + Subresource-Integrity; keyless attestation on both tarballs (as the engine already does); strict CSP on the SPA to blunt XSS to SSRF chaining.
Acceptance
A documented threat model + the above controls verified: the console is unreachable from the internet; no request-controlled URL reaches an internal fetch; state-changing calls are CSRF-protected; admin actions require step-up auth; the frontend ships with a CSP + SRI + pinned deps.
Part of #352. SECURITY. The console is a web UI that proxies Prometheus (
/api/timeseries) and talks to internal nodes - the exact pattern behind real Grafana full-read-SSRF + account-takeover CVEs (CVE-2025-4123, CVE-2025-8341). Plus CSRF/session/exposure/supply-chain surface from a new binary + frontend.Scope
query=/url=passthrough). Egress-restrict the console host (it may reach only Prometheus + node ports). Block redirects + internal IP ranges on any outbound fetch.thanos.butlr.iopattern: ALB SG locked to Perimeter81), reachable by operators but not from the data-client network. Also note: the prod node RESP port is open to0.0.0.0/0and plaintext - see the connection-security work in [TASK]: console per-node data acquisition (INFO/CLUSTER/SLOWLOG/CLIENT over RESP) #355.cargo-denyto the console crate; npm lockfile + audit + Subresource-Integrity; keyless attestation on both tarballs (as the engine already does); strict CSP on the SPA to blunt XSS to SSRF chaining.Acceptance
A documented threat model + the above controls verified: the console is unreachable from the internet; no request-controlled URL reaches an internal fetch; state-changing calls are CSRF-protected; admin actions require step-up auth; the frontend ships with a CSP + SRI + pinned deps.
Relates to: #360, #364, #363.