* Security: Sync security changes on main (#45083)
* * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search
* Teams: Ensure that users searching for teams are only able see teams they have access to
* Teams: Require teamGuardian admin privileges to list team members
* Teams: Prevent org viewers from administering teams
* Teams: Add org_id condition to team count query
* Teams: clarify permission requirements in teams api docs
* Teams: expand scenarios for team search tests
* Teams: mock teamGuardian in tests
Co-authored-by: Dan Cech <dcech@grafana.com>
* remove duplicate WHERE statement
* Fix for CVE-2022-21702
(cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e)
* Lint and test fixes
(cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981)
* check content type properly
(cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98)
* basic csrf origin check
(cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1)
* compare origin to host
(cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42)
* simplify url parsing
(cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d)
* check csrf for GET requests, only compare origin
(cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709)
* parse content type properly
(cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0)
* mentioned get in the comment
(cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345)
* add content-type: application/json to test HTTP requests
* fix pluginproxy test
* Fix linter when comparing errors
Co-authored-by: Kevin Minehart <kmineh0151@gmail.com>
Co-authored-by: Dan Cech <dcech@grafana.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com>
Co-authored-by: Vardan Torosyan <vardants@gmail.com>
(cherry picked from commit 605d056136)
* Apply suggestions from code review
* remove uneeded test fix from patch
Co-authored-by: Dimitris Sotirakis <sotirakis.dim@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: jguer <joao.guerreiro@grafana.com>
This commit is contained in:
Vardan Torosyan
GitHub
@@ -670,6 +670,20 @@ func TestDataSourceProxy_requestHandling(t *testing.T) {
|
||||
assert.Equal(t, "important_cookie=important_value", proxy.ctx.Resp.Header().Get("Set-Cookie"))
|
||||
})
|
||||
|
||||
t.Run("When response should set Content-Security-Policy header", func(t *testing.T) {
|
||||
ctx, ds := setUp(t)
|
||||
var routes []*plugins.Route
|
||||
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
|
||||
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
|
||||
proxy, err := NewDataSourceProxy(ds, routes, ctx, "/render", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService, tracer)
|
||||
require.NoError(t, err)
|
||||
|
||||
proxy.HandleRequest()
|
||||
|
||||
require.NoError(t, writeErr)
|
||||
assert.Equal(t, "sandbox", proxy.ctx.Resp.Header().Get("Content-Security-Policy"))
|
||||
})
|
||||
|
||||
t.Run("Data source returns status code 401", func(t *testing.T) {
|
||||
ctx, ds := setUp(t, setUpCfg{
|
||||
writeCb: func(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
Reference in New Issue
Block a user