You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adds Pushover as a new alert channel with per-project API token override
(project GUI token wins over global config). Includes db migration v2.19.3,
config fields, TaskRunner wiring, and template.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds Pushover API token input to ProjectForm and `pushoverApiTokenOptional`
translation key across all 17 language files.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The reason will be displayed to describe this comment to others. Learn more.
Severity: Medium — JSON injection / alert manipulation
This template builds JSON with text/template and no escaping. {{ .Task.Desc }} is populated from Task.Message, which task starters can set via POST /api/project/{id}/tasks (CanRunProjectTasks). Template name and author are also attacker-influenced.
Attack path: start a task with a crafted message such as x"}, "user": "<attacker_pushover_key>", "priority": 2, "x": ". When the alert fires, injected keys can override Pushover API fields (recipient user, priority, etc.) because duplicate JSON keys are commonly last-wins.
Impact: redirect operational alerts to an attacker-controlled Pushover account (information disclosure) or manipulate notification metadata; phishing via injected url is also possible depending on parser behavior.
Drop the GUI/DB-stored alert_pushover_token in favor of the global
SEMAPHORE_PUSHOVER_API_TOKEN config. Storing a per-project token and
serializing it via the project JSON exposed the credential to any
project member through GET /api/project/{id}.
- Remove AlertPushoverToken from db.Project and its INSERT/UPDATE columns
- Drop the alert_pushover_token migration column changes
- Remove the in-memory carrier from TaskRunner and the test alert sender
- sendPushoverAlert now uses only the global config token/user
- Remove the Pushover token field and i18n keys from ProjectForm
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Outcome: 1 medium-severity issue in new code. Prior per-project credential disclosure finding is resolved — Pushover credentials now come only from global config (util.Config), not project API fields.
Severity
Issue
Location
Medium
JSON injection via unescaped task fields can override Pushover API parameters (recipient user, url, etc.)
services/tasks/templates/pushover.tmpl
Resolved since last review: Per-project alert_pushover_token exposure (db/Project.go) no longer present in this PR.
No authn/authz bypass, SSRF, SQL injection, or meaningful supply-chain change identified (package-lock.json is a formatting-only churn).
The reason will be displayed to describe this comment to others. Learn more.
Severity: Medium — JSON injection / alert hijacking
This template builds JSON with text/template and no escaping. {{ .Task.Desc }} is populated from Task.Message, which task starters supply via POST /api/project/{id}/tasks (requires CanRunProjectTasks). {{ .Author }} and template {{ .Name }} are also attacker-influenced.
Attack path: start a task with a crafted message such as x"}, "user": "<attacker_pushover_key>", "priority": 2, "x": ". When the alert fires, injected keys appear after the legitimate user field; duplicate-key parsers (including typical JSON decoders) are last-wins, so the notification is redirected to the attacker's Pushover account using the server's application token.
Impact: operational alert hijacking (information disclosure) and possible phishing via injected url/title fields.
Fix: build the request with encoding/json (or at minimum json template func escaping) instead of hand-assembled JSON strings.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Originally requested in #3693
Tested and verified
Tested in Docker
Performed tests agains the new feature, by defining setting in
Pushover API token UI field > config.json || environment variables