From 358d38f97fdef7e2d01718e70b052a400d819c9e Mon Sep 17 00:00:00 2001 From: rcourtman Date: Tue, 16 Dec 2025 20:10:31 +0000 Subject: [PATCH] fix: Allow printable ASCII in alert IDs for acknowledge requests Reverts overly strict alert ID validation that was rejecting valid alert IDs containing special characters. Docker host IDs can contain user-supplied data like hostnames which may include parentheses, brackets, or other printable ASCII characters. The previous validation only allowed alphanumeric + limited punctuation, which caused 400 errors when acknowledging alerts from Docker hosts with special characters in their identifiers. Related to #852 --- internal/api/alerts.go | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/internal/api/alerts.go b/internal/api/alerts.go index 3a3f32d..45ec194 100644 --- a/internal/api/alerts.go +++ b/internal/api/alerts.go @@ -38,8 +38,8 @@ func (h *AlertHandlers) SetMonitor(m *monitoring.Monitor) { } // validateAlertID validates an alert ID for security. -// Alert IDs should be alphanumeric with limited punctuation (hyphens, underscores, colons, periods). -// This prevents issues with logging, URL encoding, and potential injection attacks. +// Alert IDs may contain user-supplied data (e.g., Docker hostnames), so we allow +// printable ASCII characters while blocking control characters and path traversal. func validateAlertID(alertID string) bool { // Guard against empty strings or extremely large payloads that could impact memory usage. if len(alertID) == 0 || len(alertID) > 500 { @@ -51,15 +51,11 @@ func validateAlertID(alertID string) bool { return false } - // Allow alphanumeric characters and safe punctuation commonly used in IDs. - // Restrict to a safe character set to avoid issues with logging, URLs, and shell escaping. + // Allow printable ASCII characters (32-126) to support user-supplied identifiers + // like Docker hostnames that may contain parentheses, brackets, etc. + // Reject control characters (0-31) and DEL (127) which could cause logging issues. for _, r := range alertID { - isAlphanumeric := (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9') - isSafePunctuation := r == '-' || r == '_' || r == ':' || r == '.' || r == '/' || r == '@' - // Allow spaces for backward compatibility with existing alert IDs that include instance names - isSpace := r == ' ' - - if !isAlphanumeric && !isSafePunctuation && !isSpace { + if r < 32 || r > 126 { return false } }