Security: fixes CVE-2022-29170 (#49240)

* Request interceptor: block redirects * handle location missing * Update pkg/infra/httpclient/httpclientprovider/host_redirect_validation_middleware.go Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Update pkg/infra/httpclient/httpclientprovider/host_redirect_validation_middleware.go Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * linter * fixes tests Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
3 years ago · aad2983350
parent 33359aee6c
commit aad2983350
3 changed files with 48 additions and 6 deletions
--- a/pkg/infra/httpclient/httpclientprovider/host_redirect_validation_middleware.go
+++ b/pkg/infra/httpclient/httpclientprovider/host_redirect_validation_middleware.go
@ -0,0 +1,37 @@
+package httpclientprovider
+
+import (
+	"errors"
+	"net/http"
+
+	"github.com/grafana/grafana/pkg/models"
+
+	sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
+)
+
+const HostRedirectValidationMiddlewareName = "host-redirect-validation"
+
+func RedirectLimitMiddleware(reqValidator models.PluginRequestValidator) sdkhttpclient.Middleware {
+	return sdkhttpclient.NamedMiddlewareFunc(HostRedirectValidationMiddlewareName, func(opts sdkhttpclient.Options, next http.RoundTripper) http.RoundTripper {
+		return sdkhttpclient.RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
+			res, err := next.RoundTrip(req)
+			if err != nil {
+				return nil, err
+			}
+			if res.StatusCode >= 300 && res.StatusCode < 400 {
+				location, locationErr := res.Location()
+				if errors.Is(locationErr, http.ErrNoLocation) {
+					return res, nil
+				}
+				if locationErr != nil {
+					return nil, locationErr
+				}
+
+				if validationErr := reqValidator.Validate(location.String(), nil); validationErr != nil {
+					return nil, validationErr
+				}
+			}
+			return res, nil
+		})
+	})
+}
--- a/pkg/infra/httpclient/httpclientprovider/http_client_provider.go
+++ b/pkg/infra/httpclient/httpclientprovider/http_client_provider.go
@ -5,6 +5,8 @@ import (
 	"net/http"
 	"time"

+	"github.com/grafana/grafana/pkg/models"
+
 	sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/infra/metrics/metricutil"
@ -16,7 +18,7 @@ import (
 var newProviderFunc = sdkhttpclient.NewProvider

 // New creates a new HTTP client provider with pre-configured middlewares.
-func New(cfg *setting.Cfg, tracer tracing.Tracer) *sdkhttpclient.Provider {
+func New(cfg *setting.Cfg, validator models.PluginRequestValidator, tracer tracing.Tracer) *sdkhttpclient.Provider {
 	logger := log.New("httpclient")
 	userAgent := fmt.Sprintf("Grafana/%s", cfg.BuildVersion)

@ -27,6 +29,7 @@ func New(cfg *setting.Cfg, tracer tracing.Tracer) *sdkhttpclient.Provider {
 		sdkhttpclient.BasicAuthenticationMiddleware(),
 		sdkhttpclient.CustomHeadersMiddleware(),
 		ResponseLimitMiddleware(cfg.ResponseLimit),
+		RedirectLimitMiddleware(validator),
 	}

 	if cfg.SigV4AuthEnabled {
--- a/pkg/infra/httpclient/httpclientprovider/http_client_provider_test.go
+++ b/pkg/infra/httpclient/httpclientprovider/http_client_provider_test.go
@ -3,6 +3,8 @@ package httpclientprovider
 import (
 	"testing"

+	"github.com/grafana/grafana/pkg/services/validations"
+
 	sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/setting"
@ -22,10 +24,10 @@ func TestHTTPClientProvider(t *testing.T) {
 		})
 		tracer, err := tracing.InitializeTracerForTest()
 		require.NoError(t, err)
-		_ = New(&setting.Cfg{SigV4AuthEnabled: false}, tracer)
+		_ = New(&setting.Cfg{SigV4AuthEnabled: false}, &validations.OSSPluginRequestValidator{}, tracer)
 		require.Len(t, providerOpts, 1)
 		o := providerOpts[0]
-		require.Len(t, o.Middlewares, 6)
+		require.Len(t, o.Middlewares, 7)
 		require.Equal(t, TracingMiddlewareName, o.Middlewares[0].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, DataSourceMetricsMiddlewareName, o.Middlewares[1].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, SetUserAgentMiddlewareName, o.Middlewares[2].(sdkhttpclient.MiddlewareName).MiddlewareName())
@ -46,16 +48,16 @@ func TestHTTPClientProvider(t *testing.T) {
 		})
 		tracer, err := tracing.InitializeTracerForTest()
 		require.NoError(t, err)
-		_ = New(&setting.Cfg{SigV4AuthEnabled: true}, tracer)
+		_ = New(&setting.Cfg{SigV4AuthEnabled: true}, &validations.OSSPluginRequestValidator{}, tracer)
 		require.Len(t, providerOpts, 1)
 		o := providerOpts[0]
-		require.Len(t, o.Middlewares, 7)
+		require.Len(t, o.Middlewares, 8)
 		require.Equal(t, TracingMiddlewareName, o.Middlewares[0].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, DataSourceMetricsMiddlewareName, o.Middlewares[1].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, SetUserAgentMiddlewareName, o.Middlewares[2].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, sdkhttpclient.BasicAuthenticationMiddlewareName, o.Middlewares[3].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, sdkhttpclient.CustomHeadersMiddlewareName, o.Middlewares[4].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, ResponseLimitMiddlewareName, o.Middlewares[5].(sdkhttpclient.MiddlewareName).MiddlewareName())
-		require.Equal(t, SigV4MiddlewareName, o.Middlewares[6].(sdkhttpclient.MiddlewareName).MiddlewareName())
+		require.Equal(t, SigV4MiddlewareName, o.Middlewares[7].(sdkhttpclient.MiddlewareName).MiddlewareName())
 	})
 }