From 6c64b04c3943a23e55bf0a0eccccb7d8f1ed0dc5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 22 Apr 2025 13:47:05 +0000 Subject: [PATCH] apply security patch: release-11.5.4/365-202504020730.patch commit 27ee68a7899680bcf0763aa6a7b35d93829fa767 Author: Andres Martinez Gotor Date: Mon Mar 31 12:15:52 2025 +0200 Sanitize paths before evaluating access to route --- pkg/api/pluginproxy/ds_proxy.go | 10 +++++++++- pkg/api/pluginproxy/ds_proxy_test.go | 8 ++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/pkg/api/pluginproxy/ds_proxy.go b/pkg/api/pluginproxy/ds_proxy.go index c90d5b334fa..2b93a4007a3 100644 --- a/pkg/api/pluginproxy/ds_proxy.go +++ b/pkg/api/pluginproxy/ds_proxy.go @@ -302,7 +302,15 @@ func (proxy *DataSourceProxy) validateRequest() error { } // route match - if !strings.HasPrefix(proxy.proxyPath, route.Path) { + r1, err := util.CleanRelativePath(proxy.proxyPath) + if err != nil { + return err + } + r2, err := util.CleanRelativePath(route.Path) + if err != nil { + return err + } + if !strings.HasPrefix(r1, r2) { continue } diff --git a/pkg/api/pluginproxy/ds_proxy_test.go b/pkg/api/pluginproxy/ds_proxy_test.go index a2b70b8aa2a..9a285e5f232 100644 --- a/pkg/api/pluginproxy/ds_proxy_test.go +++ b/pkg/api/pluginproxy/ds_proxy_test.go @@ -274,6 +274,14 @@ func TestDataSourceProxy_routeRule(t *testing.T) { err = proxy.validateRequest() require.NoError(t, err) }) + + t.Run("path with slashes and user is editor", func(t *testing.T) { + ctx, _ := setUp() + proxy, err := setupDSProxyTest(t, ctx, ds, routes, "//api//admin") + require.NoError(t, err) + err = proxy.validateRequest() + require.Error(t, err) + }) }) t.Run("plugin route with RBAC protection user is allowed", func(t *testing.T) {