Apply security patch 357-202503311017.patch (#104490)

* Sanitize paths before evaluating access to route * use util.CleanRelativePath --------- Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
2025-08-03 00:42:03 +08:00 · 2025-04-24 15:15:17 -04:00
parent a6735721bf
commit 1f707d16ed
2 changed files with 17 additions and 1 deletions
--- a/pkg/api/pluginproxy/ds_proxy_test.go
+++ b/pkg/api/pluginproxy/ds_proxy_test.go
@ -274,6 +274,14 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 				err = proxy.validateRequest()
 				require.NoError(t, err)
 			})
+
+			t.Run("path with slashes and user is editor", func(t *testing.T) {
+				ctx, _ := setUp()
+				proxy, err := setupDSProxyTest(t, ctx, ds, routes, "//api//admin")
+				require.NoError(t, err)
+				err = proxy.validateRequest()
+				require.Error(t, err)
+			})
 		})

 		t.Run("plugin route with RBAC protection user is allowed", func(t *testing.T) {