No way to safely generate JSON messages #248
Description
Problem
Currently, the documentation advises that JSON can be used for message bodies:
If you use a custom webhook for your destination and need to embed JSON in the message body, be sure to escape your quotes:
{
"message_template": {
"source": "{ "text": "Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue. - Trigger: {{ctx.trigger.name}} - Severity: {{ctx.trigger.severity}} - Period start: {{ctx.periodStart}} - Period end: {{ctx.periodEnd}}" }"
}
}
This information is wrong and potentially dangerous. Mustache uses a different escaping system than JSON expects, and cannot be used to generate properly escaped JSON strings. This leads to a number of problems:
- Valid characters in JSON strings are unexpectedly replaced with HTML escape codes (e.g.
<becomes<) - Backslashes can break the JSON formatting (e.g. strings ending with
\will not be closed). Most of the time this would be unintentional, but if the strings originate from user input, it could be an avenue for injection (in theory. It would be difficult to actually exploit in practice because of the extremely specific circumstances required).
Solution
There are several potential fixes, but probably the least effort would be to simply add something like toJson, which is used by the search template API: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-template.html#search-template-converting-to-json. (Note: if you plan to reuse their code, please handle all types correctly and don't bail out like they do here. That makes it useless for escaping user input securely.)
Obviously, the docs would need to be updated as well.