Skip to content

feat(ingester): restrict /flush and /shutdown endpoints to POST only#7674

Open
Goutham-Annem wants to merge 1 commit into
cortexproject:masterfrom
Goutham-Annem:fix/3243-post-only-flush-shutdown
Open

feat(ingester): restrict /flush and /shutdown endpoints to POST only#7674
Goutham-Annem wants to merge 1 commit into
cortexproject:masterfrom
Goutham-Annem:fix/3243-post-only-flush-shutdown

Conversation

@Goutham-Annem

Copy link
Copy Markdown

What this PR does:

The /ingester/flush, /ingester/shutdown, /flush, and /shutdown endpoints previously accepted GET requests, making it possible to accidentally trigger a destructive ingester operation by clicking a link in a browser or via a pre-fetch proxy following the index page's links.

This PR makes three coordinated changes:

  1. Route restriction (pkg/api/api.go): The four flush/shutdown RegisterRoute calls now only list "POST". A browser GET (or curl without -X POST) returns 405 Method Not Allowed.

  2. Index page template (pkg/api/handlers.go): Links in the Dangerous: section now render as <form method="POST"><button> elements instead of <a href> anchors. This ensures that clicking in the browser issues a POST, not a GET. Non-dangerous links continue to render as plain anchors. A template function IsDangerous(section string) bool drives the branching.

  3. Migration script (tools/migrate-ingester-statefulsets.sh): The BusyBox wget invocation inside kubectl exec is updated to wget --post-data="" -T 5 .... BusyBox wget supports --post-data, so the script continues to work without requiring curl inside the Cortex container image (which is unavailable per the original issue discussion).

Which issue(s) this PR fixes:
Fixes #3243

Checklist

  • Tests updated — TestIndexPageContent extended with assertions that dangerous links produce method="POST" forms and no <a href>; new TestIndexHandlerDangerousLinksUsePostForms covers prefix behaviour for dangerous links
  • CHANGELOG.md updated
  • Documentation added (N/A — behaviour is visible in the UI itself)

Note: This PR was developed with AI assistance (Claude Code).

The /ingester/flush, /ingester/shutdown, /flush, and /shutdown endpoints
previously accepted GET requests, making it possible to accidentally
trigger a destructive ingester operation by clicking a link in a browser
or by a pre-fetch proxy following links on the index page.

Changes:
- Route registration for flush/shutdown changed from ["GET","POST"] to ["POST"].
  A browser GET (or curl without -X POST) now returns 405 Method Not Allowed.
- Index page template updated to render links in the "Dangerous:" section as
  HTML <form method="POST"> submit buttons rather than plain <a href> anchors,
  preventing browser-initiated GET requests while keeping the UI functional.
- tools/migrate-ingester-statefulsets.sh updated to use `wget --post-data=""`
  (BusyBox wget supports this flag) so the script continues to work after the
  GET handler is removed.
- Two tests added/extended to assert the POST-form rendering for dangerous links.

Fixes cortexproject#3243

Signed-off-by: Goutham Annem <gouthemannem@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Restrict /flush and /shutdown ingester endpoints to POST method only

1 participant