apply security patch: release-11.2.9/368-202504020742.patch

commit 14c7fa5311814148bbf24967cd3094480f9d21ab Author: Andres Martinez Gotor <andres.martinez@grafana.com> Date: Wed Apr 2 09:41:11 2025 +0200 Sanitize paths before evaluating access to route
2 months ago · 044c8eda95
parent b3c27a1519
commit 044c8eda95
2 changed files with 17 additions and 1 deletions
--- a/pkg/api/pluginproxy/ds_proxy.go
+++ b/pkg/api/pluginproxy/ds_proxy.go
@ -301,7 +301,15 @@ func (proxy *DataSourceProxy) validateRequest() error {
 		}

 		// route match
-		if !strings.HasPrefix(proxy.proxyPath, route.Path) {
+		r1, err := util.CleanRelativePath(proxy.proxyPath)
+		if err != nil {
+			return err
+		}
+		r2, err := util.CleanRelativePath(route.Path)
+		if err != nil {
+			return err
+		}
+		if !strings.HasPrefix(r1, r2) {
 			continue
 		}

--- a/pkg/api/pluginproxy/ds_proxy_test.go
+++ b/pkg/api/pluginproxy/ds_proxy_test.go
@ -257,6 +257,14 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 				err = proxy.validateRequest()
 				require.NoError(t, err)
 			})
+
+			t.Run("path with slashes and user is editor", func(t *testing.T) {
+				ctx, _ := setUp()
+				proxy, err := setupDSProxyTest(t, ctx, ds, routes, "//api//admin")
+				require.NoError(t, err)
+				err = proxy.validateRequest()
+				require.Error(t, err)
+			})
 		})

 		t.Run("plugin route with RBAC protection user is allowed", func(t *testing.T) {