[v8.3.x] Sync security changes (#45067)

* "Release: Updated versions in package to 8.3.5" * [v8.3.x] Fix for CVE-2022-21702 (#225) Fix for CVE-2022-21702 * Update yarn.lock for 8.3.5 * resolve conflicts (cherry picked from commit bb38cfcba4b4f824060ff385d858c63f50b72d74) * csrf checks for v8.3.5 (#234) * Fix lint * Cherry pick e2e test server changes Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Kevin Minehart <kmineh0151@gmail.com> Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com>
2022-02-08 15:35:38 +01:00
parent 667f884db1
commit f42d0b9beb
30 changed files with 252 additions and 92 deletions
@@ -4,6 +4,7 @@ import (
 	"context"
 	"io/ioutil"
 	"net/http"
+	"net/http/httptest"
 	"testing"

 	"github.com/grafana/grafana/pkg/bus"
@@ -13,6 +14,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/secrets/fakes"
 	secretsManager "github.com/grafana/grafana/pkg/services/secrets/manager"
 	"github.com/grafana/grafana/pkg/setting"
+	"github.com/grafana/grafana/pkg/web"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"gopkg.in/macaron.v1"
@@ -245,6 +247,41 @@ func TestPluginProxy(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, `{ "url": "https://dynamic.grafana.com", "secret": "123"	}`, string(content))
 	})
+
+	t.Run("When proxying a request should set expected response headers", func(t *testing.T) {
+		requestHandled := false
+		backendServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(200)
+			_, _ = w.Write([]byte("I am the backend"))
+			requestHandled = true
+		}))
+		t.Cleanup(backendServer.Close)
+
+		responseWriter := web.NewResponseWriter("GET", httptest.NewRecorder())
+
+		route := &plugins.Route{
+			Path: "/",
+			URL:  backendServer.URL,
+		}
+
+		ctx := &models.ReqContext{
+			SignedInUser: &models.SignedInUser{},
+			Context: &web.Context{
+				Req:  httptest.NewRequest("GET", "/", nil),
+				Resp: responseWriter,
+			},
+		}
+		proxy := NewApiPluginProxy(ctx, "", route, "", &setting.Cfg{}, secretsService)
+		proxy.ServeHTTP(ctx.Resp, ctx.Req)
+
+		for {
+			if requestHandled {
+				break
+			}
+		}
+
+		require.Equal(t, "sandbox", ctx.Resp.Header().Get("Content-Security-Policy"))
+	})
 }

 // getPluginProxiedRequest is a helper for easier setup of tests based on global config and ReqContext.