public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Apply security patch 357-202503311017.patch (#104490)

Browse Source 
* Sanitize paths before evaluating access to route

* use util.CleanRelativePath

---------

Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
This commit is contained in:
Yuri Tseretyan
2025-04-24 15:15:17 -04:00
committed by GitHub
parent a6735721bf
commit 1f707d16ed
2 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/api/pluginproxy/ds_proxy.go
+9 -1
View File
@@ -300,7 +300,15 @@ func (proxy *DataSourceProxy) validateRequest() error {
}
// route match
if !strings.HasPrefix(proxy.proxyPath, route.Path) {
r1, err := util.CleanRelativePath(proxy.proxyPath)
if err != nil {
return err
}
r2, err := util.CleanRelativePath(route.Path)
if err != nil {
return err
}
if !strings.HasPrefix(r1, r2) {
continue
}
pkg/api/pluginproxy/ds_proxy_test.go
+8
View File
@@ -274,6 +274,14 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
err = proxy.validateRequest()
require.NoError(t, err)
})
t.Run("path with slashes and user is editor", func(t *testing.T) {
ctx, _ := setUp()
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "//api//admin")
require.NoError(t, err)
err = proxy.validateRequest()
require.Error(t, err)
})
})
t.Run("plugin route with RBAC protection user is allowed", func(t *testing.T) {