apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

apply security patch: release-11.6.1/364-202504020728.patch

Browse Source 
commit 5697757c8006732776de7f4385c2029bb01f67c6
Author: Andres Martinez Gotor <andres.martinez@grafana.com>
Date:   Mon Mar 31 12:15:52 2025 +0200

    Sanitize paths before evaluating access to route
pull/104467/head
github-actions[bot] 2 months ago
parent 2d4d7cf869
commit 5e30a9ec08
2 changed files with 17 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 10
      pkg/api/pluginproxy/ds_proxy.go
  2. 8
      pkg/api/pluginproxy/ds_proxy_test.go

10
pkg/api/pluginproxy/ds_proxy.go
Unescape View File

@ -302,7 +302,15 @@ func (proxy *DataSourceProxy) validateRequest() error {
} }
// route match // route match
if !strings.HasPrefix(proxy.proxyPath, route.Path) { r1, err := util.CleanRelativePath(proxy.proxyPath)
if err != nil {
return err
}
r2, err := util.CleanRelativePath(route.Path)
if err != nil {
return err
}
if !strings.HasPrefix(r1, r2) {
continue continue
} }

8
pkg/api/pluginproxy/ds_proxy_test.go
Unescape View File

@ -274,6 +274,14 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
err = proxy.validateRequest() err = proxy.validateRequest()
require.NoError(t, err) require.NoError(t, err)
}) })
t.Run("path with slashes and user is editor", func(t *testing.T) {
ctx, _ := setUp()
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "//api//admin")
require.NoError(t, err)
err = proxy.validateRequest()
require.Error(t, err)
})
}) })
t.Run("plugin route with RBAC protection user is allowed", func(t *testing.T) { t.Run("plugin route with RBAC protection user is allowed", func(t *testing.T) {

Write Preview
Loading…
Cancel
Save