mirror of
https://github.com/grafana/grafana.git
synced 2025-07-30 14:12:26 +08:00
track signature files + add warn log (#38938)
This commit is contained in:
Will Browne
@ -3,12 +3,10 @@ package api
|
||||
import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"sort"
|
||||
"strings"
|
||||
|
||||
"github.com/grafana/grafana-plugin-sdk-go/backend"
|
||||
"github.com/grafana/grafana/pkg/api/dtos"
|
||||
@ -21,14 +19,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
)
|
||||
|
||||
var permittedFileExts = []string{
|
||||
".html", ".xhtml", ".css", ".js", ".json", ".jsonld", ".map", ".mjs",
|
||||
".jpeg", ".jpg", ".png", ".gif", ".svg", ".webp", ".ico",
|
||||
".woff", ".woff2", ".eot", ".ttf", ".otf",
|
||||
".wav", ".mp3",
|
||||
".md", ".pdf", ".txt",
|
||||
}
|
||||
|
||||
func (hs *HTTPServer) GetPluginList(c *models.ReqContext) response.Response {
|
||||
typeFilter := c.Query("type")
|
||||
enabledFilter := c.Query("enabled")
|
||||
@ -262,10 +252,10 @@ func (hs *HTTPServer) CollectPluginMetrics(c *models.ReqContext) response.Respon
|
||||
return response.CreateNormalResponse(headers, resp.PrometheusMetrics, http.StatusOK)
|
||||
}
|
||||
|
||||
// GetPluginAssets returns public plugin assets (images, JS, etc.)
|
||||
// getPluginAssets returns public plugin assets (images, JS, etc.)
|
||||
//
|
||||
// /public/plugins/:pluginId/*
|
||||
func (hs *HTTPServer) GetPluginAssets(c *models.ReqContext) {
|
||||
func (hs *HTTPServer) getPluginAssets(c *models.ReqContext) {
|
||||
pluginID := c.Params("pluginId")
|
||||
plugin := hs.PluginManager.GetPlugin(pluginID)
|
||||
if plugin == nil {
|
||||
@ -276,6 +266,11 @@ func (hs *HTTPServer) GetPluginAssets(c *models.ReqContext) {
|
||||
requestedFile := filepath.Clean(c.Params("*"))
|
||||
pluginFilePath := filepath.Join(plugin.PluginDir, requestedFile)
|
||||
|
||||
if !plugin.IncludedInSignature(requestedFile) {
|
||||
hs.log.Warn("Access to requested plugin file will be forbidden in upcoming Grafana versions as the file "+
|
||||
"is not included in the plugin signature", "file", requestedFile)
|
||||
}
|
||||
|
||||
// It's safe to ignore gosec warning G304 since we already clean the requested file path and subsequently
|
||||
// use this with a prefix of the plugin's directory, which is set during plugin loading
|
||||
// nolint:gosec
|
||||
@ -300,12 +295,6 @@ func (hs *HTTPServer) GetPluginAssets(c *models.ReqContext) {
|
||||
return
|
||||
}
|
||||
|
||||
if accessForbidden(fi.Name()) {
|
||||
c.JsonApiErr(403, "Plugin file access forbidden",
|
||||
fmt.Errorf("access is forbidden to plugin file %s", pluginFilePath))
|
||||
return
|
||||
}
|
||||
|
||||
if hs.Cfg.Env == setting.Dev {
|
||||
c.Resp.Header().Set("Cache-Control", "max-age=0, must-revalidate, no-cache")
|
||||
} else {
|
||||
@ -448,14 +437,3 @@ func translatePluginRequestErrorToAPIError(err error) response.Response {
|
||||
|
||||
return response.Error(500, "Plugin request failed", err)
|
||||
}
|
||||
|
||||
func accessForbidden(pluginFilename string) bool {
|
||||
ext := filepath.Ext(pluginFilename)
|
||||
|
||||
for _, permittedExt := range permittedFileExts {
|
||||
if strings.EqualFold(permittedExt, ext) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user