Neatly decorated emails from watch, without compromising security

Elastic Stack Elasticsearch
1

Hi

I want my email alerts to be more user-friendly.
In order to do so, I made some styled email templates (with mustache expressions) using css. Unfortunately i can't paste them here.
According to the Watcher HTML Sanitization Documentation, _style attributes are disabled in order to avoid XSS through CSS.
This is reasonable, but i want to find a way to send really neatly decorated emails to my clients. My concern is not about what tags and attributes are supported by email clients (i have control on this in my case), but how to send formatted and user friendly mails safely.
I am not really worried about XSS on client side, but mostly about XSS affecting the ELK environment.

Is it only a matter of allowing specific tags and attributes in a way that avoids XSS? or is there any built in solution in watcher for safly sending decorated mails?

Thanks
Dan

2

Hey,

did you enable the _style attributes and tried again? See the end of the sanitization docs

--Alex

3

Hi @spinscale,

I tried adding

watcher.actions.email.html.sanitization: 
  allow: _styles

in my cloud config but I got an Illegal user settings error. Is it available on hosted ES?
Thank you.

4

Sorry, looks like it should be xpack now. I tried again with

xpack.notification.email.html.sanitization.allow: _tables, _blocks, _formatting, _links, _styles

but it failed too :sweat:. I'm using this on my self-hosted ES 5 and it works perfectly. Could you tell me what's illegal here?

Thanks.

Jb

5

Hey,

just to be sure, which version did you try on cloud so I can try to reproduce?

--Alex

6

Hello,

I'm using 5.0.2 on both

7

Did you manage to reproduce @spinscale?

I tried various combination of the settings but none worked.

8

Hi @JbRichardet,

We do not whitelist xpack.notification.email.html.sanitization.allow setting in Elastic Cloud hence it is illegal.

The reason is that we want to verify the ownership of the addresses that people send watches to. Having said that, your particular setting doesn't interfere with that as far as I can tell. We will discuss internally and decide if we want to allow setting this attribute for Cloud customers. Or if not then maybe we can whitelist it on your cluster.

I'll get back to you.

Thanks,
Igor

9

Thank you @igor_k !

I understand the security concerns, that's why I whitelisted all the recipients addresses in the UI :wink:.

Let me know how it went!

Jean-Baptiste

10

@JbRichardet, a quick update: we've decided to whitelist these email sanitization settings, but it will take a few days to "do" this change and release it on all of our machines. In meantime, if you don't want to wait you can post the settings that you want to have applied here and list the cluster ids. I'll apply them and let you know and you won't be dependent on our release schedule :wink:

Hope that works for you,
Igor

11

Thank you @igor_k!

My setting is:

xpack.notification.email.html.sanitization.allow: _tables, _blocks, _formatting, _links, _styles

and my cluster is 1121ff :slight_smile:

12

I've applied the change to your cluster, but it needs to create a new instance and replicate the data to it. This is needed for no downtime migration. I think it will take few more hours for the data to replicate. Stay tuned for updates!

Thanks,
Igor

13

I see the cluster 1121ff is updated, so these settings are applied:

xpack.notification.email.html.sanitization.allow: _tables, _blocks, _formatting, _links, _styles

Can you check if everything is fine on your end?

The way it works is that they are sticky and will be there even if you make a change to your cluster. If you want them changed or removed please let us know on the cloud forum.

Thanks,
Igor

14

My watch triggered this morning and styles were applied perfectly!

Thank you @igor_k

1 Like