Backport fix to main (#42979)

* fixes (cherry picked from commit a2c386915ce11b9422f4af8ae181eaa1a22bc5c3) (cherry picked from commit 06706efbbe) * fix regex (cherry picked from commit a259213a3badc9618e969f2c8db0a0143f00faee) (cherry picked from commit 1d7105c095) * lint (#42970) (cherry picked from commit afb9e8e5f3) Co-authored-by: Will Browne <will.browne@grafana.com> Co-authored-by: malcolmholmes <42545407+malcolmholmes@users.noreply.github.com>
4 years ago · d6ec6f8ad2
parent adc31f8f43
commit d6ec6f8ad2
2 changed files with 13 additions and 8 deletions
--- a/pkg/api/plugins.go
+++ b/pkg/api/plugins.go
@ -490,15 +490,15 @@ func (hs *HTTPServer) pluginMarkdown(ctx context.Context, pluginId string, name
 	}

 	// nolint:gosec
-	// We can ignore the gosec G304 warning on this one because `plugin.PluginDir` is based
-	// on plugin the folder structure on disk and not user input.
-	path := filepath.Join(plugin.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name)))
+	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
+	// use this with a prefix of the plugin's directory, which is set during plugin loading
+	path := filepath.Join(plugin.PluginDir, mdFilepath(strings.ToUpper(name)))
 	exists, err := fs.Exists(path)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
-		path = filepath.Join(plugin.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name)))
+		path = filepath.Join(plugin.PluginDir, mdFilepath(strings.ToLower(name)))
 	}

 	exists, err = fs.Exists(path)
@ -510,11 +510,15 @@ func (hs *HTTPServer) pluginMarkdown(ctx context.Context, pluginId string, name
 	}

 	// nolint:gosec
-	// We can ignore the gosec G304 warning on this one because `plugin.PluginDir` is based
-	// on plugin the folder structure on disk and not user input.
+	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
+	// use this with a prefix of the plugin's directory, which is set during plugin loading
 	data, err := ioutil.ReadFile(path)
 	if err != nil {
 		return nil, err
 	}
 	return data, nil
 }
+
+func mdFilepath(mdFilename string) string {
+	return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename)))
+}
--- a/pkg/tsdb/testdatasource/csv_data.go
+++ b/pkg/tsdb/testdatasource/csv_data.go
@ -77,13 +77,14 @@ func (s *Service) handleCsvFileScenario(ctx context.Context, req *backend.QueryD
 }

 func (s *Service) loadCsvFile(fileName string) (*data.Frame, error) {
-	validFileName := regexp.MustCompile(`([\w_]+)\.csv`)
+	validFileName := regexp.MustCompile(`^\w+\.csv$`)

 	if !validFileName.MatchString(fileName) {
 		return nil, fmt.Errorf("invalid csv file name: %q", fileName)
 	}

-	filePath := filepath.Join(s.cfg.StaticRootPath, "testdata", fileName)
+	csvFilepath := filepath.Clean(filepath.Join("/", fileName))
+	filePath := filepath.Join(s.cfg.StaticRootPath, "testdata", csvFilepath)

 	// Can ignore gosec G304 here, because we check the file pattern above
 	// nolint:gosec