-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Add Pushover notifications support (#3693) #3976
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: develop
Are you sure you want to change the base?
Changes from all commits
39a1d23
cc5aee4
f745f6d
b9d6567
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| { | ||
| "token": "{{ .Pushover.Token }}", | ||
| "user": "{{ .Pushover.User }}", | ||
| "title": "{{ .Name }} #{{ .Task.ID }}: {{ .Task.Result }}", | ||
| "html": 1, | ||
| "message": "<b>{{ .Task.Result }}</b> {{ .Task.Version }} - {{ .Task.Desc }}\nby {{ .Author }}", | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Severity: Medium — JSON injection / alert hijacking This template builds JSON with Attack path: start a task with a crafted Impact: operational alert hijacking (information disclosure) and possible phishing via injected Fix: build the request with |
||
| "url": "{{ .Task.URL }}", | ||
| "url_title": "View task in Semaphore" | ||
| } | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Severity: Medium — JSON injection / alert manipulation
This template builds JSON with
text/templateand no escaping.{{ .Task.Desc }}is populated fromTask.Message, which task starters can set viaPOST /api/project/{id}/tasks(CanRunProjectTasks). Template name and author are also attacker-influenced.Attack path: start a task with a crafted
messagesuch asx"}, "user": "<attacker_pushover_key>", "priority": 2, "x": ". When the alert fires, injected keys can override Pushover API fields (recipientuser,priority, etc.) because duplicate JSON keys are commonly last-wins.Impact: redirect operational alerts to an attacker-controlled Pushover account (information disclosure) or manipulate notification metadata; phishing via injected
urlis also possible depending on parser behavior.