From b3569971da2f66b57eacc59b57e3bf0f2c4b610e Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Fri, 18 Apr 2025 21:51:03 +0000
Subject: [PATCH] apply security patch: release-11.5.4/365-202504020730.patch

commit d96895e4f98d1d8cce6d731f6421f6fd1fb6dd94
Author: Andres Martinez Gotor <andres.martinez@grafana.com>
Date:   Mon Mar 31 12:15:52 2025 +0200

    Sanitize paths before evaluating access to route
---
 pkg/api/pluginproxy/ds_proxy.go      | 10 +++++++++-
 pkg/api/pluginproxy/ds_proxy_test.go |  8 ++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/pkg/api/pluginproxy/ds_proxy.go b/pkg/api/pluginproxy/ds_proxy.go
index c90d5b334fa..2b93a4007a3 100644
--- a/pkg/api/pluginproxy/ds_proxy.go
+++ b/pkg/api/pluginproxy/ds_proxy.go
@@ -302,7 +302,15 @@ func (proxy *DataSourceProxy) validateRequest() error {
 		}
 
 		// route match
-		if !strings.HasPrefix(proxy.proxyPath, route.Path) {
+		r1, err := util.CleanRelativePath(proxy.proxyPath)
+		if err != nil {
+			return err
+		}
+		r2, err := util.CleanRelativePath(route.Path)
+		if err != nil {
+			return err
+		}
+		if !strings.HasPrefix(r1, r2) {
 			continue
 		}
 
diff --git a/pkg/api/pluginproxy/ds_proxy_test.go b/pkg/api/pluginproxy/ds_proxy_test.go
index a2b70b8aa2a..9a285e5f232 100644
--- a/pkg/api/pluginproxy/ds_proxy_test.go
+++ b/pkg/api/pluginproxy/ds_proxy_test.go
@@ -274,6 +274,14 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 				err = proxy.validateRequest()
 				require.NoError(t, err)
 			})
+
+			t.Run("path with slashes and user is editor", func(t *testing.T) {
+				ctx, _ := setUp()
+				proxy, err := setupDSProxyTest(t, ctx, ds, routes, "//api//admin")
+				require.NoError(t, err)
+				err = proxy.validateRequest()
+				require.Error(t, err)
+			})
 		})
 
 		t.Run("plugin route with RBAC protection user is allowed", func(t *testing.T) {