DataProxy: Populate X-Grafana-Referer header (#60040)

* ProxyUtil: Populate X-Grafana-Referer header * ProxyUtil: Move Referer/Origin header removal So that the removal and setting X-Grafana-Referer logic applies to all proxied requests and not just datasource proxy. * ProxyUtil: Test to guard against multiline headers * ProxyUtil: Explicitly check injected header isn't parsed
3 years ago · b0874d8059
parent 5dfa59884e
commit b0874d8059
4 changed files with 42 additions and 5 deletions
--- a/pkg/util/proxyutil/proxyutil.go
+++ b/pkg/util/proxyutil/proxyutil.go
@ -7,9 +7,17 @@ import (
 )

 // PrepareProxyRequest prepares a request for being proxied.
-// Removes X-Forwarded-Host, X-Forwarded-Port, X-Forwarded-Proto headers.
+// Removes X-Forwarded-Host, X-Forwarded-Port, X-Forwarded-Proto, Origin, Referer headers.
+// Set X-Grafana-Referer based on contents of Referer.
 // Set X-Forwarded-For headers.
 func PrepareProxyRequest(req *http.Request) {
+	// Set X-Grafana-Referer to correlate access logs to dashboards
+	req.Header.Set("X-Grafana-Referer", req.Header.Get("Referer"))
+
+	// Clear Origin and Referer to avoid CORS issues
+	req.Header.Del("Origin")
+	req.Header.Del("Referer")
+
 	req.Header.Del("X-Forwarded-Host")
 	req.Header.Del("X-Forwarded-Port")
 	req.Header.Del("X-Forwarded-Proto")
--- a/pkg/util/proxyutil/proxyutil_test.go
+++ b/pkg/util/proxyutil/proxyutil_test.go
@ -8,6 +8,38 @@ import (
 )

 func TestPrepareProxyRequest(t *testing.T) {
+	t.Run("Prepare proxy request should clear Origin and Referer headers", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, "/", nil)
+		require.NoError(t, err)
+		req.Header.Set("Origin", "https://host.com")
+		req.Header.Set("Referer", "https://host.com/dashboard")
+
+		PrepareProxyRequest(req)
+		require.NotContains(t, req.Header, "Origin")
+		require.NotContains(t, req.Header, "Referer")
+	})
+
+	t.Run("Prepare proxy request should set X-Grafana-Referer header", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, "/", nil)
+		require.NoError(t, err)
+		req.Header.Set("Referer", "https://host.com/dashboard")
+
+		PrepareProxyRequest(req)
+		require.Contains(t, req.Header, "X-Grafana-Referer")
+		require.Equal(t, "https://host.com/dashboard", req.Header.Get("X-Grafana-Referer"))
+	})
+
+	t.Run("Prepare proxy request X-Grafana-Referer handles multiline", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, "/", nil)
+		require.NoError(t, err)
+		req.Header.Set("Referer", "https://www.google.ch\r\nOtherHeader:https://www.somethingelse.com")
+
+		PrepareProxyRequest(req)
+		require.Contains(t, req.Header, "X-Grafana-Referer")
+		require.NotContains(t, req.Header, "OtherHeader")
+		require.Equal(t, "https://www.google.ch\r\nOtherHeader:https://www.somethingelse.com", req.Header.Get("X-Grafana-Referer"))
+	})
+
 	t.Run("Prepare proxy request should clear X-Forwarded headers", func(t *testing.T) {
 		req, err := http.NewRequest(http.MethodGet, "/", nil)
 		require.NoError(t, err)
--- a/pkg/util/proxyutil/reverse_proxy.go
+++ b/pkg/util/proxyutil/reverse_proxy.go
@ -76,10 +76,6 @@ func wrapDirector(d func(*http.Request)) func(req *http.Request) {

 		d(req)
 		PrepareProxyRequest(req)
-
-		// Clear Origin and Referer to avoid CORS issues
-		req.Header.Del("Origin")
-		req.Header.Del("Referer")
 	}
 }

--- a/pkg/util/proxyutil/reverse_proxy_test.go
+++ b/pkg/util/proxyutil/reverse_proxy_test.go
@ -50,6 +50,7 @@ func TestReverseProxy(t *testing.T) {
 		require.Equal(t, "10.0.0.1", actualReq.Header.Get("X-Forwarded-For"))
 		require.Empty(t, actualReq.Header.Get("Origin"))
 		require.Empty(t, actualReq.Header.Get("Referer"))
+		require.Equal(t, "https://test.com/api", actualReq.Header.Get("X-Grafana-Referer"))
 		require.Equal(t, "value", actualReq.Header.Get("X-KEY"))
 		resp := rec.Result()
 		require.Empty(t, resp.Cookies())