diff --git a/pkg/infra/filestorage/api.go b/pkg/infra/filestorage/api.go index 645ae462cf9..e298d6ce768 100644 --- a/pkg/infra/filestorage/api.go +++ b/pkg/infra/filestorage/api.go @@ -27,7 +27,7 @@ var ( ) func ValidatePath(path string) error { - if !filepath.IsAbs(path) { + if !strings.HasPrefix(path, Delimiter) { return ErrRelativePath } @@ -39,7 +39,8 @@ func ValidatePath(path string) error { return ErrPathEndsWithDelimiter } - if filepath.Clean(path) != path { + // apply `ToSlash` to replace OS-specific separators introduced by the Clean() function + if filepath.ToSlash(filepath.Clean(path)) != path { return ErrNonCanonicalPath } diff --git a/pkg/infra/filestorage/api_test.go b/pkg/infra/filestorage/api_test.go index f22393bdd36..4cbf2906219 100644 --- a/pkg/infra/filestorage/api_test.go +++ b/pkg/infra/filestorage/api_test.go @@ -100,6 +100,9 @@ func TestFilestorageApi_ValidatePath(t *testing.T) { { path: "/myFile/file.jpg", }, + { + path: "/file.jpg", + }, } for _, tt := range tests { if tt.expectedError == nil { diff --git a/pkg/plugins/backendplugin/pluginextensionv2/generate.sh b/pkg/plugins/backendplugin/pluginextensionv2/generate.sh index dade69745c5..c7e2379cf79 100755 --- a/pkg/plugins/backendplugin/pluginextensionv2/generate.sh +++ b/pkg/plugins/backendplugin/pluginextensionv2/generate.sh @@ -13,4 +13,4 @@ DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" cd "$DIR" -protoc -I ./ rendererv2.proto --go_out=plugins=grpc:./ \ No newline at end of file +protoc -I ./ *.proto --go_out=plugins=grpc:./ diff --git a/pkg/plugins/backendplugin/pluginextensionv2/renderer_grpc_plugin.go b/pkg/plugins/backendplugin/pluginextensionv2/renderer_grpc_plugin.go index 6aef8a1ecd0..6dcc8e2e261 100644 --- a/pkg/plugins/backendplugin/pluginextensionv2/renderer_grpc_plugin.go +++ b/pkg/plugins/backendplugin/pluginextensionv2/renderer_grpc_plugin.go @@ -9,6 +9,7 @@ import ( type RendererPlugin interface { RendererClient + SanitizerClient } type RendererGRPCPlugin struct { @@ -20,11 +21,16 @@ func (p *RendererGRPCPlugin) GRPCServer(broker *plugin.GRPCBroker, s *grpc.Serve } func (p *RendererGRPCPlugin) GRPCClient(ctx context.Context, broker *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) { - return &RendererGRPCClient{NewRendererClient(c)}, nil + return &RendererGRPCClient{NewRendererClient(c), NewSanitizerClient(c)}, nil } type RendererGRPCClient struct { RendererClient + SanitizerClient +} + +func (m *RendererGRPCClient) Sanitize(ctx context.Context, req *SanitizeRequest, opts ...grpc.CallOption) (*SanitizeResponse, error) { + return m.SanitizerClient.Sanitize(ctx, req, opts...) } func (m *RendererGRPCClient) Render(ctx context.Context, req *RenderRequest, opts ...grpc.CallOption) (*RenderResponse, error) { @@ -32,4 +38,5 @@ func (m *RendererGRPCClient) Render(ctx context.Context, req *RenderRequest, opt } var _ RendererClient = &RendererGRPCClient{} +var _ SanitizerClient = &RendererGRPCClient{} var _ plugin.GRPCPlugin = &RendererGRPCPlugin{} diff --git a/pkg/plugins/backendplugin/pluginextensionv2/rendererv2.pb.go b/pkg/plugins/backendplugin/pluginextensionv2/rendererv2.pb.go index 75e5f4e4a31..9194ea8dcb1 100644 --- a/pkg/plugins/backendplugin/pluginextensionv2/rendererv2.pb.go +++ b/pkg/plugins/backendplugin/pluginextensionv2/rendererv2.pb.go @@ -1,21 +1,20 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.26.0 -// protoc v3.15.8 +// protoc-gen-go v1.28.0 +// protoc v3.19.4 // source: rendererv2.proto package pluginextensionv2 import ( context "context" - reflect "reflect" - sync "sync" - grpc "google.golang.org/grpc" codes "google.golang.org/grpc/codes" status "google.golang.org/grpc/status" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" ) const ( diff --git a/pkg/plugins/backendplugin/pluginextensionv2/sanitizer.pb.go b/pkg/plugins/backendplugin/pluginextensionv2/sanitizer.pb.go new file mode 100644 index 00000000000..b4cd30b7ab1 --- /dev/null +++ b/pkg/plugins/backendplugin/pluginextensionv2/sanitizer.pb.go @@ -0,0 +1,337 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.28.0 +// protoc v3.19.4 +// source: sanitizer.proto + +package pluginextensionv2 + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type SanitizeRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Filename string `protobuf:"bytes,1,opt,name=filename,proto3" json:"filename,omitempty"` + Content []byte `protobuf:"bytes,2,opt,name=content,proto3" json:"content,omitempty"` + ConfigType string `protobuf:"bytes,3,opt,name=configType,proto3" json:"configType,omitempty"` // DOMPurify, ... + Config []byte `protobuf:"bytes,4,opt,name=config,proto3" json:"config,omitempty"` +} + +func (x *SanitizeRequest) Reset() { + *x = SanitizeRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_sanitizer_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *SanitizeRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SanitizeRequest) ProtoMessage() {} + +func (x *SanitizeRequest) ProtoReflect() protoreflect.Message { + mi := &file_sanitizer_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SanitizeRequest.ProtoReflect.Descriptor instead. +func (*SanitizeRequest) Descriptor() ([]byte, []int) { + return file_sanitizer_proto_rawDescGZIP(), []int{0} +} + +func (x *SanitizeRequest) GetFilename() string { + if x != nil { + return x.Filename + } + return "" +} + +func (x *SanitizeRequest) GetContent() []byte { + if x != nil { + return x.Content + } + return nil +} + +func (x *SanitizeRequest) GetConfigType() string { + if x != nil { + return x.ConfigType + } + return "" +} + +func (x *SanitizeRequest) GetConfig() []byte { + if x != nil { + return x.Config + } + return nil +} + +type SanitizeResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Error string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"` + Sanitized []byte `protobuf:"bytes,2,opt,name=sanitized,proto3" json:"sanitized,omitempty"` +} + +func (x *SanitizeResponse) Reset() { + *x = SanitizeResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_sanitizer_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *SanitizeResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SanitizeResponse) ProtoMessage() {} + +func (x *SanitizeResponse) ProtoReflect() protoreflect.Message { + mi := &file_sanitizer_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SanitizeResponse.ProtoReflect.Descriptor instead. +func (*SanitizeResponse) Descriptor() ([]byte, []int) { + return file_sanitizer_proto_rawDescGZIP(), []int{1} +} + +func (x *SanitizeResponse) GetError() string { + if x != nil { + return x.Error + } + return "" +} + +func (x *SanitizeResponse) GetSanitized() []byte { + if x != nil { + return x.Sanitized + } + return nil +} + +var File_sanitizer_proto protoreflect.FileDescriptor + +var file_sanitizer_proto_rawDesc = []byte{ + 0x0a, 0x0f, 0x73, 0x61, 0x6e, 0x69, 0x74, 0x69, 0x7a, 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x12, 0x11, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, + 0x6f, 0x6e, 0x76, 0x32, 0x22, 0x7f, 0x0a, 0x0f, 0x53, 0x61, 0x6e, 0x69, 0x74, 0x69, 0x7a, 0x65, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x6e, + 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x6e, + 0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x12, 0x1e, 0x0a, + 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x54, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x54, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, + 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x63, + 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x46, 0x0a, 0x10, 0x53, 0x61, 0x6e, 0x69, 0x74, 0x69, 0x7a, + 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, + 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x12, + 0x1c, 0x0a, 0x09, 0x73, 0x61, 0x6e, 0x69, 0x74, 0x69, 0x7a, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0c, 0x52, 0x09, 0x73, 0x61, 0x6e, 0x69, 0x74, 0x69, 0x7a, 0x65, 0x64, 0x32, 0x60, 0x0a, + 0x09, 0x53, 0x61, 0x6e, 0x69, 0x74, 0x69, 0x7a, 0x65, 0x72, 0x12, 0x53, 0x0a, 0x08, 0x53, 0x61, + 0x6e, 0x69, 0x74, 0x69, 0x7a, 0x65, 0x12, 0x22, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x65, + 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x76, 0x32, 0x2e, 0x53, 0x61, 0x6e, 0x69, 0x74, + 0x69, 0x7a, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x70, 0x6c, 0x75, + 0x67, 0x69, 0x6e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x76, 0x32, 0x2e, 0x53, + 0x61, 0x6e, 0x69, 0x74, 0x69, 0x7a, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, + 0x15, 0x5a, 0x13, 0x2e, 0x3b, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x65, 0x78, 0x74, 0x65, 0x6e, + 0x73, 0x69, 0x6f, 0x6e, 0x76, 0x32, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_sanitizer_proto_rawDescOnce sync.Once + file_sanitizer_proto_rawDescData = file_sanitizer_proto_rawDesc +) + +func file_sanitizer_proto_rawDescGZIP() []byte { + file_sanitizer_proto_rawDescOnce.Do(func() { + file_sanitizer_proto_rawDescData = protoimpl.X.CompressGZIP(file_sanitizer_proto_rawDescData) + }) + return file_sanitizer_proto_rawDescData +} + +var file_sanitizer_proto_msgTypes = make([]protoimpl.MessageInfo, 2) +var file_sanitizer_proto_goTypes = []interface{}{ + (*SanitizeRequest)(nil), // 0: pluginextensionv2.SanitizeRequest + (*SanitizeResponse)(nil), // 1: pluginextensionv2.SanitizeResponse +} +var file_sanitizer_proto_depIdxs = []int32{ + 0, // 0: pluginextensionv2.Sanitizer.Sanitize:input_type -> pluginextensionv2.SanitizeRequest + 1, // 1: pluginextensionv2.Sanitizer.Sanitize:output_type -> pluginextensionv2.SanitizeResponse + 1, // [1:2] is the sub-list for method output_type + 0, // [0:1] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_sanitizer_proto_init() } +func file_sanitizer_proto_init() { + if File_sanitizer_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_sanitizer_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*SanitizeRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sanitizer_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*SanitizeResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_sanitizer_proto_rawDesc, + NumEnums: 0, + NumMessages: 2, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_sanitizer_proto_goTypes, + DependencyIndexes: file_sanitizer_proto_depIdxs, + MessageInfos: file_sanitizer_proto_msgTypes, + }.Build() + File_sanitizer_proto = out.File + file_sanitizer_proto_rawDesc = nil + file_sanitizer_proto_goTypes = nil + file_sanitizer_proto_depIdxs = nil +} + +// Reference imports to suppress errors if they are not otherwise used. +var _ context.Context +var _ grpc.ClientConnInterface + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +const _ = grpc.SupportPackageIsVersion6 + +// SanitizerClient is the client API for Sanitizer service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream. +type SanitizerClient interface { + Sanitize(ctx context.Context, in *SanitizeRequest, opts ...grpc.CallOption) (*SanitizeResponse, error) +} + +type sanitizerClient struct { + cc grpc.ClientConnInterface +} + +func NewSanitizerClient(cc grpc.ClientConnInterface) SanitizerClient { + return &sanitizerClient{cc} +} + +func (c *sanitizerClient) Sanitize(ctx context.Context, in *SanitizeRequest, opts ...grpc.CallOption) (*SanitizeResponse, error) { + out := new(SanitizeResponse) + err := c.cc.Invoke(ctx, "/pluginextensionv2.Sanitizer/Sanitize", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +// SanitizerServer is the server API for Sanitizer service. +type SanitizerServer interface { + Sanitize(context.Context, *SanitizeRequest) (*SanitizeResponse, error) +} + +// UnimplementedSanitizerServer can be embedded to have forward compatible implementations. +type UnimplementedSanitizerServer struct { +} + +func (*UnimplementedSanitizerServer) Sanitize(context.Context, *SanitizeRequest) (*SanitizeResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Sanitize not implemented") +} + +func RegisterSanitizerServer(s *grpc.Server, srv SanitizerServer) { + s.RegisterService(&_Sanitizer_serviceDesc, srv) +} + +func _Sanitizer_Sanitize_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(SanitizeRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SanitizerServer).Sanitize(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/pluginextensionv2.Sanitizer/Sanitize", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SanitizerServer).Sanitize(ctx, req.(*SanitizeRequest)) + } + return interceptor(ctx, in, info, handler) +} + +var _Sanitizer_serviceDesc = grpc.ServiceDesc{ + ServiceName: "pluginextensionv2.Sanitizer", + HandlerType: (*SanitizerServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Sanitize", + Handler: _Sanitizer_Sanitize_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "sanitizer.proto", +} diff --git a/pkg/plugins/backendplugin/pluginextensionv2/sanitizer.proto b/pkg/plugins/backendplugin/pluginextensionv2/sanitizer.proto new file mode 100644 index 00000000000..fc2606dab7c --- /dev/null +++ b/pkg/plugins/backendplugin/pluginextensionv2/sanitizer.proto @@ -0,0 +1,20 @@ +syntax = "proto3"; +package pluginextensionv2; + +option go_package = ".;pluginextensionv2"; + +message SanitizeRequest { + string filename = 1; + bytes content = 2; + string configType = 3; // DOMPurify, ... + bytes config = 4; +} + +message SanitizeResponse { + string error = 1; + bytes sanitized = 2; +} + +service Sanitizer { + rpc Sanitize(SanitizeRequest) returns (SanitizeResponse); +} diff --git a/pkg/server/backgroundsvcs/background_services.go b/pkg/server/backgroundsvcs/background_services.go index c6970da787b..9fa9558f050 100644 --- a/pkg/server/backgroundsvcs/background_services.go +++ b/pkg/server/backgroundsvcs/background_services.go @@ -25,6 +25,7 @@ import ( secretsManager "github.com/grafana/grafana/pkg/services/secrets/manager" "github.com/grafana/grafana/pkg/services/serviceaccounts" "github.com/grafana/grafana/pkg/services/store" + "github.com/grafana/grafana/pkg/services/store/sanitizer" "github.com/grafana/grafana/pkg/services/thumbs" "github.com/grafana/grafana/pkg/services/updatechecker" ) @@ -41,7 +42,7 @@ func ProvideBackgroundServiceRegistry( // Need to make sure these are initialized, is there a better place to put them? _ dashboardsnapshots.Service, _ *alerting.AlertNotificationService, _ serviceaccounts.Service, _ *guardian.Provider, - _ *plugindashboardsservice.DashboardUpdater, + _ *plugindashboardsservice.DashboardUpdater, _ *sanitizer.Provider, ) *BackgroundServiceRegistry { return NewBackgroundServiceRegistry( httpServer, diff --git a/pkg/server/wire.go b/pkg/server/wire.go index 8c3aafa4930..08ebbd15c0f 100644 --- a/pkg/server/wire.go +++ b/pkg/server/wire.go @@ -6,6 +6,7 @@ package server import ( "github.com/google/wire" sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient" + "github.com/grafana/grafana/pkg/services/store/sanitizer" "github.com/grafana/grafana/pkg/api" "github.com/grafana/grafana/pkg/api/avatar" @@ -263,6 +264,7 @@ var wireBasicSet = wire.NewSet( wire.Bind(new(alerting.DashAlertExtractor), new(*alerting.DashAlertExtractorService)), comments.ProvideService, guardian.ProvideService, + sanitizer.ProvideService, secretsStore.ProvideService, avatar.ProvideAvatarCacheServer, authproxy.ProvideAuthProxy, diff --git a/pkg/services/alerting/notifier_test.go b/pkg/services/alerting/notifier_test.go index b55e15870cc..29858fb65fa 100644 --- a/pkg/services/alerting/notifier_test.go +++ b/pkg/services/alerting/notifier_test.go @@ -339,6 +339,10 @@ type testRenderService struct { renderErrorImageProvider func(error error) (*rendering.RenderResult, error) } +func (s *testRenderService) SanitizeSVG(ctx context.Context, req *rendering.SanitizeSVGRequest) (*rendering.SanitizeSVGResponse, error) { + return &rendering.SanitizeSVGResponse{Sanitized: req.Content}, nil +} + func (s *testRenderService) HasCapability(feature rendering.CapabilityName) (rendering.CapabilitySupportRequestResult, error) { return rendering.CapabilitySupportRequestResult{}, nil } diff --git a/pkg/services/rendering/capabilities.go b/pkg/services/rendering/capabilities.go index 9339bfc4915..2087577ed04 100644 --- a/pkg/services/rendering/capabilities.go +++ b/pkg/services/rendering/capabilities.go @@ -16,6 +16,7 @@ type CapabilityName string const ( ScalingDownImages CapabilityName = "ScalingDownImages" FullHeightImages CapabilityName = "FullHeightImages" + SvgSanitization CapabilityName = "SvgSanitization" ) var ErrUnknownCapability = errors.New("unknown capability") diff --git a/pkg/services/rendering/interface.go b/pkg/services/rendering/interface.go index 1cf6abbbc3e..6a7197f12e9 100644 --- a/pkg/services/rendering/interface.go +++ b/pkg/services/rendering/interface.go @@ -62,6 +62,15 @@ type ErrorOpts struct { ErrorRenderUnavailable bool } +type SanitizeSVGRequest struct { + Filename string + Content []byte +} + +type SanitizeSVGResponse struct { + Sanitized []byte +} + type CSVOpts struct { TimeoutOpts AuthOpts @@ -83,6 +92,7 @@ type RenderCSVResult struct { type renderFunc func(ctx context.Context, renderKey string, options Opts) (*RenderResult, error) type renderCSVFunc func(ctx context.Context, renderKey string, options CSVOpts) (*RenderCSVResult, error) +type sanitizeFunc func(ctx context.Context, req *SanitizeSVGRequest) (*SanitizeSVGResponse, error) type renderKeyProvider interface { get(ctx context.Context, opts AuthOpts) (string, error) @@ -114,4 +124,5 @@ type Service interface { GetRenderUser(ctx context.Context, key string) (*RenderUser, bool) HasCapability(capability CapabilityName) (CapabilitySupportRequestResult, error) CreateRenderingSession(ctx context.Context, authOpts AuthOpts, sessionOpts SessionOpts) (Session, error) + SanitizeSVG(ctx context.Context, req *SanitizeSVGRequest) (*SanitizeSVGResponse, error) } diff --git a/pkg/services/rendering/mock.go b/pkg/services/rendering/mock.go index d8a52a81520..705a05a1f9f 100644 --- a/pkg/services/rendering/mock.go +++ b/pkg/services/rendering/mock.go @@ -139,6 +139,21 @@ func (mr *MockServiceMockRecorder) RenderErrorImage(arg0, arg1 interface{}) *gom return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RenderErrorImage", reflect.TypeOf((*MockService)(nil).RenderErrorImage), arg0, arg1) } +// SanitizeSVG mocks base method. +func (m *MockService) SanitizeSVG(arg0 context.Context, arg1 *SanitizeSVGRequest) (*SanitizeSVGResponse, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "SanitizeSVG", arg0, arg1) + ret0, _ := ret[0].(*SanitizeSVGResponse) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// SanitizeSVG indicates an expected call of SanitizeSVG. +func (mr *MockServiceMockRecorder) SanitizeSVG(arg0, arg1 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SanitizeSVG", reflect.TypeOf((*MockService)(nil).SanitizeSVG), arg0, arg1) +} + // Version mocks base method. func (m *MockService) Version() string { m.ctrl.T.Helper() diff --git a/pkg/services/rendering/rendering.go b/pkg/services/rendering/rendering.go index 694d93890f6..1bde374b7bb 100644 --- a/pkg/services/rendering/rendering.go +++ b/pkg/services/rendering/rendering.go @@ -27,18 +27,22 @@ func init() { remotecache.Register(&RenderUser{}) } +var _ Service = (*RenderingService)(nil) + const ServiceName = "RenderingService" type RenderingService struct { - log log.Logger - pluginInfo *plugins.Plugin - renderAction renderFunc - renderCSVAction renderCSVFunc - domain string - inProgressCount int32 - version string - versionMutex sync.RWMutex - capabilities []Capability + log log.Logger + pluginInfo *plugins.Plugin + renderAction renderFunc + renderCSVAction renderCSVFunc + sanitizeSVGAction sanitizeFunc + sanitizeURL string + domain string + inProgressCount int32 + version string + versionMutex sync.RWMutex + capabilities []Capability perRequestRenderKeyProvider renderKeyProvider Cfg *setting.Cfg @@ -59,8 +63,14 @@ func ProvideService(cfg *setting.Cfg, remoteCache *remotecache.RemoteCache, rm p return nil, fmt.Errorf("failed to create CSVs directory %q: %w", cfg.CSVsDir, err) } + logger := log.New("rendering") + + // URL for HTTP sanitize API + var sanitizeURL string + + // value used for domain attribute of renderKey cookie var domain string - // set value used for domain attribute of renderKey cookie + switch { case cfg.RendererUrl != "": // RendererCallbackUrl has already been passed, it won't generate an error. @@ -69,6 +79,7 @@ func ProvideService(cfg *setting.Cfg, remoteCache *remotecache.RemoteCache, rm p return nil, err } + sanitizeURL = getSanitizerURL(cfg.RendererUrl) domain = u.Hostname() case cfg.HTTPAddr != setting.DefaultHTTPAddr: domain = cfg.HTTPAddr @@ -76,7 +87,6 @@ func ProvideService(cfg *setting.Cfg, remoteCache *remotecache.RemoteCache, rm p domain = "localhost" } - logger := log.New("rendering") s := &RenderingService{ perRequestRenderKeyProvider: &perRequestRenderKeyProvider{ cache: remoteCache, @@ -92,16 +102,26 @@ func ProvideService(cfg *setting.Cfg, remoteCache *remotecache.RemoteCache, rm p name: ScalingDownImages, semverConstraint: ">= 3.4.0", }, + { + name: SvgSanitization, + semverConstraint: ">= 3.5.0", + }, }, Cfg: cfg, RemoteCacheService: remoteCache, RendererPluginManager: rm, log: logger, domain: domain, + sanitizeURL: sanitizeURL, } return s, nil } +func getSanitizerURL(rendererURL string) string { + rendererBaseURL := strings.TrimSuffix(rendererURL, "/render") + return rendererBaseURL + "/sanitize" +} + func (rs *RenderingService) Run(ctx context.Context) error { if rs.remoteAvailable() { rs.log = rs.log.New("renderer", "http") @@ -120,6 +140,7 @@ func (rs *RenderingService) Run(ctx context.Context) error { }) rs.renderAction = rs.renderViaHTTP rs.renderCSVAction = rs.renderCSVViaHTTP + rs.sanitizeSVGAction = rs.sanitizeViaHTTP refreshTicker := time.NewTicker(remoteVersionRefreshInterval) @@ -146,6 +167,7 @@ func (rs *RenderingService) Run(ctx context.Context) error { rs.version = rs.pluginInfo.Info.Version rs.renderAction = rs.renderViaPlugin rs.renderCSVAction = rs.renderCSVViaPlugin + rs.sanitizeSVGAction = rs.sanitizeSVGViaPlugin <-ctx.Done() // On Windows, Chromium is generating a debug.log file that breaks signature check on next restart @@ -293,6 +315,26 @@ func (rs *RenderingService) RenderCSV(ctx context.Context, opts CSVOpts, session return result, err } +func (rs *RenderingService) SanitizeSVG(ctx context.Context, req *SanitizeSVGRequest) (*SanitizeSVGResponse, error) { + capability, err := rs.HasCapability(SvgSanitization) + if err != nil { + return nil, err + } + + if !capability.IsSupported { + return nil, fmt.Errorf("svg sanitization unsupported, requires image renderer version: %s", capability.SemverConstraint) + } + + start := time.Now() + + action, err := rs.sanitizeSVGAction(ctx, req) + if err != nil { + defer rs.log.Info("svg sanitization finished", "duration", time.Since(start), "filename", req.Filename, "isError", err != nil) + } + + return action, err +} + func (rs *RenderingService) renderCSV(ctx context.Context, opts CSVOpts, renderKeyProvider renderKeyProvider) (*RenderCSVResult, error) { if int(atomic.LoadInt32(&rs.inProgressCount)) > opts.ConcurrentLimit { return nil, ErrConcurrentLimitReached diff --git a/pkg/services/rendering/svgSanitizer.go b/pkg/services/rendering/svgSanitizer.go new file mode 100644 index 00000000000..b6b40038032 --- /dev/null +++ b/pkg/services/rendering/svgSanitizer.go @@ -0,0 +1,178 @@ +package rendering + +import ( + "bytes" + "context" + "encoding/json" + "errors" + "fmt" + "io" + "mime/multipart" + "net/http" + "net/textproto" + "net/url" + "time" + + "github.com/grafana/grafana/pkg/plugins/backendplugin/pluginextensionv2" +) + +var ( + domPurifySvgConfig = map[string]interface{}{ + // domPurifyConfig is passed directly to DOMPurify https://github.com/cure53/DOMPurify#can-i-configure-dompurify + "domPurifyConfig": map[string]interface{}{ + "USE_PROFILES": map[string]bool{"svg": true, "svgFilters": true}, + "ADD_TAGS": []string{"use"}, + }, + // allowAllLinksInSvgUseTags will preserve all `use` tags. + // By default, we remove all non-self-referential `use` tags, i.e. those which `href` attribute does not start with `#` + "allowAllLinksInSvgUseTags": false, + } + domPurifyConfigType = "DOMPurify" +) + +type formFile struct { + fileName string + key string + contentType string + content io.Reader +} + +func createMultipartRequestBody(values []formFile) (bytes.Buffer, string, error) { + var b bytes.Buffer + w := multipart.NewWriter(&b) + for _, f := range values { + h := make(textproto.MIMEHeader) + h.Set("Content-Disposition", fmt.Sprintf(`form-data; name="%s"; filename="%s"`, f.key, f.fileName)) + h.Set("Content-Type", f.contentType) + formWriter, err := w.CreatePart(h) + + if err != nil { + return bytes.Buffer{}, "", err + } + + if _, err := io.Copy(formWriter, f.content); err != nil { + return bytes.Buffer{}, "", err + } + + if x, ok := f.content.(io.Closer); ok { + _ = x.Close() + } + } + + if err := w.Close(); err != nil { + return bytes.Buffer{}, "", err + } + + return b, w.FormDataContentType(), nil +} + +func (rs *RenderingService) sanitizeViaHTTP(ctx context.Context, req *SanitizeSVGRequest) (*SanitizeSVGResponse, error) { + sanitizerUrl, err := url.Parse(rs.sanitizeURL) + if err != nil { + return nil, err + } + + configJson, err := json.Marshal(map[string]interface{}{ + "config": domPurifySvgConfig, + "configType": domPurifyConfigType, + }) + if err != nil { + rs.log.Error("Sanitizer - HTTP: failed to create the request config", "error", err, "filename", req.Filename) + return nil, fmt.Errorf("config creation fail: %s", err) + } + + body, contentType, err := createMultipartRequestBody([]formFile{ + { + fileName: "config", + key: "config", + contentType: "application/json", + content: bytes.NewReader(configJson), + }, + { + fileName: req.Filename, + key: "file", + contentType: "image/svg+xml", + content: bytes.NewReader(req.Content), + }, + }) + if err != nil { + rs.log.Error("Sanitizer - HTTP: failed to create the request body", "error", err, "filename", req.Filename) + return nil, fmt.Errorf("body creation fail: %s", err) + } + + reqContext, cancel := context.WithTimeout(ctx, 10*time.Second) + defer cancel() + httpReq, err := http.NewRequestWithContext(reqContext, "POST", sanitizerUrl.String(), &body) + if err != nil { + rs.log.Error("Sanitizer - HTTP: failed to create the HTTP request", "error", err, "filename", req.Filename) + return nil, err + } + + httpReq.Header.Set("User-Agent", fmt.Sprintf("Grafana/%s", rs.Cfg.BuildVersion)) + httpReq.Header.Set("Content-Type", contentType) + + rs.log.Debug("Sanitizer - HTTP: calling", "filename", req.Filename, "contentLength", len(req.Content), "url", sanitizerUrl) + // make request to renderer server + resp, err := netClient.Do(httpReq) + if err != nil { + rs.log.Error("Sanitizer - HTTP: failed to send request", "error", err) + return nil, fmt.Errorf("sanitizer - HTTP: failed to send request: %w", err) + } + + defer func() { + if err := resp.Body.Close(); err != nil { + rs.log.Error("Sanitizer - HTTP: failed to close response body", "statusCode", resp.StatusCode, "error", err) + } + }() + + if resp.StatusCode != http.StatusOK { + if body, err := io.ReadAll(resp.Body); body != nil { + rs.log.Error("Sanitizer - HTTP: failed to sanitize", "statusCode", resp.StatusCode, "error", err, "resp", string(body)) + } else { + rs.log.Error("Sanitizer - HTTP: failed to sanitize", "statusCode", resp.StatusCode, "error", err) + } + return nil, fmt.Errorf("sanitizer - HTTP: failed to sanitize %s", req.Filename) + } + + sanitized, err := io.ReadAll(resp.Body) + if err != nil { + rs.log.Error("Sanitizer - HTTP: failed to read response body", "error", err, "filename", req.Filename) + return nil, fmt.Errorf("sanitizer - HTTP: failed to read response body: %s", err) + } + + return &SanitizeSVGResponse{Sanitized: sanitized}, nil +} + +func (rs *RenderingService) sanitizeSVGViaPlugin(ctx context.Context, req *SanitizeSVGRequest) (*SanitizeSVGResponse, error) { + ctx, cancel := context.WithTimeout(ctx, time.Second*20) + defer cancel() + + domPurifyConfig, err := json.Marshal(domPurifySvgConfig) + if err != nil { + rs.log.Error("Sanitizer - plugin: failed to parse domPurifyConfig") + return nil, fmt.Errorf("sanitizer - plugin: failed to parse domPurifyConfig %s", err) + } + grpcReq := &pluginextensionv2.SanitizeRequest{ + Filename: req.Filename, + Content: req.Content, + ConfigType: domPurifyConfigType, + Config: domPurifyConfig, + } + rs.log.Debug("Sanitizer - plugin: calling", "filename", req.Filename, "contentLength", len(req.Content)) + + rsp, err := rs.pluginInfo.Renderer.Sanitize(ctx, grpcReq) + if err != nil { + if errors.Is(ctx.Err(), context.DeadlineExceeded) { + rs.log.Info("Sanitizer - plugin: time out") + return nil, ErrTimeout + } + + return nil, err + } + + if rsp.Error != "" { + return nil, fmt.Errorf("sanitizer - plugin: failed to sanitize: %s", rsp.Error) + } + + return &SanitizeSVGResponse{Sanitized: rsp.Sanitized}, nil +} diff --git a/pkg/services/store/http.go b/pkg/services/store/http.go index bdbb634a161..d177759a256 100644 --- a/pkg/services/store/http.go +++ b/pkg/services/store/http.go @@ -126,6 +126,11 @@ func (s *httpStorage) Read(c *models.ReqContext) response.Response { if err != nil { return response.Error(400, "cannot call read", err) } + + if file == nil || file.Contents == nil { + return response.Error(404, "file does not exist", err) + } + // set the correct content type for svg if strings.HasSuffix(path, ".svg") { c.Resp.Header().Set("Content-Type", "image/svg+xml") diff --git a/pkg/services/store/sanitize.go b/pkg/services/store/sanitize.go index 6634b77b7f5..df19e9ceaee 100644 --- a/pkg/services/store/sanitize.go +++ b/pkg/services/store/sanitize.go @@ -6,20 +6,44 @@ import ( "github.com/grafana/grafana/pkg/infra/filestorage" "github.com/grafana/grafana/pkg/models" + "github.com/grafana/grafana/pkg/services/rendering" + "github.com/grafana/grafana/pkg/services/store/sanitizer" ) -func (s *standardStorageService) sanitizeUploadRequest(ctx context.Context, user *models.SignedInUser, req *UploadRequest, storagePath string) (*filestorage.UpsertFileCommand, error) { +func (s *standardStorageService) sanitizeContents(ctx context.Context, user *models.SignedInUser, req *UploadRequest, storagePath string) ([]byte, error) { if req.EntityType == EntityTypeImage { ext := filepath.Ext(req.Path) - //nolint: staticcheck if ext == ".svg" { - // TODO: sanitize svg + resp, err := sanitizer.SanitizeSVG(ctx, &rendering.SanitizeSVGRequest{ + Filename: storagePath, + Content: req.Contents, + }) + if err != nil { + if s.cfg.allowUnsanitizedSvgUpload { + grafanaStorageLogger.Debug("allowing unsanitized svg upload", "filename", req.Path, "sanitizationError", err) + return req.Contents, nil + } else { + grafanaStorageLogger.Debug("disallowing unsanitized svg upload", "filename", req.Path, "sanitizationError", err) + return nil, err + } + } + + return resp.Sanitized, nil } } + return req.Contents, nil +} + +func (s *standardStorageService) sanitizeUploadRequest(ctx context.Context, user *models.SignedInUser, req *UploadRequest, storagePath string) (*filestorage.UpsertFileCommand, error) { + contents, err := s.sanitizeContents(ctx, user, req, storagePath) + if err != nil { + return nil, err + } + return &filestorage.UpsertFileCommand{ Path: storagePath, - Contents: req.Contents, + Contents: contents, MimeType: req.MimeType, CacheControl: req.CacheControl, ContentDisposition: req.ContentDisposition, diff --git a/pkg/services/store/sanitizer/Provider.go b/pkg/services/store/sanitizer/Provider.go new file mode 100644 index 00000000000..9830b05c200 --- /dev/null +++ b/pkg/services/store/sanitizer/Provider.go @@ -0,0 +1,23 @@ +package sanitizer + +import ( + "context" + "errors" + + "github.com/grafana/grafana/pkg/services/rendering" +) + +// workaround for cyclic dep between the store and the renderer + +type Provider struct{} + +var SanitizeSVG = func(ctx context.Context, req *rendering.SanitizeSVGRequest) (*rendering.SanitizeSVGResponse, error) { + return nil, errors.New("not implemented") +} + +func ProvideService( + renderer rendering.Service, +) *Provider { + SanitizeSVG = renderer.SanitizeSVG + return &Provider{} +} diff --git a/pkg/services/store/service.go b/pkg/services/store/service.go index be879f00133..7089494a7c4 100644 --- a/pkg/services/store/service.go +++ b/pkg/services/store/service.go @@ -48,9 +48,14 @@ type StorageService interface { sanitizeUploadRequest(ctx context.Context, user *models.SignedInUser, req *UploadRequest, storagePath string) (*filestorage.UpsertFileCommand, error) } +type storageServiceConfig struct { + allowUnsanitizedSvgUpload bool +} + type standardStorageService struct { sql *sqlstore.SQLStore tree *nestedTree + cfg storageServiceConfig } func ProvideService(sql *sqlstore.SQLStore, features featuremgmt.FeatureToggles, cfg *setting.Cfg) StorageService { @@ -83,6 +88,9 @@ func ProvideService(sql *sqlstore.SQLStore, features featuremgmt.FeatureToggles, s := newStandardStorageService(globalRoots, initializeOrgStorages) s.sql = sql + s.cfg = storageServiceConfig{ + allowUnsanitizedSvgUpload: false, + } return s } diff --git a/pkg/services/store/utils.go b/pkg/services/store/utils.go index 95777ace5e0..70f47349f39 100644 --- a/pkg/services/store/utils.go +++ b/pkg/services/store/utils.go @@ -1,7 +1,6 @@ package store import ( - "path/filepath" "strings" "github.com/grafana/grafana/pkg/models" @@ -27,5 +26,5 @@ func getPathAndScope(c *models.ReqContext) (string, string) { if path == "" { return "", "" } - return splitFirstSegment(filepath.Clean(path)) + return splitFirstSegment(path) } diff --git a/pkg/services/store/validate.go b/pkg/services/store/validate.go index b067e0216fd..7ad7cf391bf 100644 --- a/pkg/services/store/validate.go +++ b/pkg/services/store/validate.go @@ -13,6 +13,7 @@ var ( allowedImageExtensions = map[string]bool{ ".jpg": true, ".jpeg": true, + ".svg": true, ".gif": true, ".png": true, ".webp": true, @@ -23,6 +24,7 @@ var ( ".gif": {"image/gif": true}, ".png": {"image/png": true}, ".webp": {"image/webp": true}, + ".svg": {"text/xml; charset=utf-8": true, "text/plain; charset=utf-8": true, "image/svg+xml": true}, } ) @@ -68,7 +70,7 @@ func (s *standardStorageService) validateUploadRequest(ctx context.Context, user // TODO: validateProperties if err := filestorage.ValidatePath(storagePath); err != nil { - return fail("path validation failed: " + err.Error()) + return fail("path validation failed. error:" + err.Error() + ". path: " + storagePath) } switch req.EntityType {