Renderer: Add sanitize API (#50936)

* svg fun * #50597: add proto * #50597: add sanitizer methods * #50597: add provider * #50597: use sanitizer * #50597: use sanitizer * update grafana to match new api * add comments * add capability check * add timing * update sanitize path * improve log message * strings.HasPrefix rather than filepath.IsAbs * filepath.Clean + filepath.ToSlash for windows * read 404 * remove `path.clean` from `getPathAndScope` * add resp body close * remove unneeded prop * Update pkg/services/rendering/rendering.go Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> * remove test files * filepath.ToSlash correct wrapping * filepath.ToSlash correct wrapping * filepath.ToSlash comment * compilation error * lint fix * fix error message * Update pkg/services/rendering/rendering.go Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> * add `image/svg+xml` mime type * refactored log * refactored log Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com>
2025-08-01 08:52:38 +08:00 · 2022-07-07 15:32:18 +04:00
parent f279699beb
commit e96f67ae2e
21 changed files with 710 additions and 28 deletions
--- a/pkg/infra/filestorage/api.go
+++ b/pkg/infra/filestorage/api.go
@ -27,7 +27,7 @@ var (
 )

 func ValidatePath(path string) error {
-	if !filepath.IsAbs(path) {
+	if !strings.HasPrefix(path, Delimiter) {
 		return ErrRelativePath
 	}

@ -39,7 +39,8 @@ func ValidatePath(path string) error {
 		return ErrPathEndsWithDelimiter
 	}

-	if filepath.Clean(path) != path {
+	// apply `ToSlash` to replace OS-specific separators introduced by the Clean() function
+	if filepath.ToSlash(filepath.Clean(path)) != path {
 		return ErrNonCanonicalPath
 	}

--- a/pkg/infra/filestorage/api_test.go
+++ b/pkg/infra/filestorage/api_test.go
@ -100,6 +100,9 @@ func TestFilestorageApi_ValidatePath(t *testing.T) {
 		{
 			path: "/myFile/file.jpg",
 		},
+		{
+			path: "/file.jpg",
+		},
 	}
 	for _, tt := range tests {
 		if tt.expectedError == nil {
--- a/pkg/plugins/backendplugin/pluginextensionv2/generate.sh
+++ b/pkg/plugins/backendplugin/pluginextensionv2/generate.sh
@ -13,4 +13,4 @@ DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"

 cd "$DIR"

-protoc -I ./ rendererv2.proto --go_out=plugins=grpc:./
+protoc -I ./ *.proto --go_out=plugins=grpc:./
--- a/pkg/plugins/backendplugin/pluginextensionv2/renderer_grpc_plugin.go
+++ b/pkg/plugins/backendplugin/pluginextensionv2/renderer_grpc_plugin.go
@ -9,6 +9,7 @@ import (

 type RendererPlugin interface {
 	RendererClient
+	SanitizerClient
 }

 type RendererGRPCPlugin struct {
@ -20,11 +21,16 @@ func (p *RendererGRPCPlugin) GRPCServer(broker *plugin.GRPCBroker, s *grpc.Serve
 }

 func (p *RendererGRPCPlugin) GRPCClient(ctx context.Context, broker *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) {
-	return &RendererGRPCClient{NewRendererClient(c)}, nil
+	return &RendererGRPCClient{NewRendererClient(c), NewSanitizerClient(c)}, nil
 }

 type RendererGRPCClient struct {
 	RendererClient
+	SanitizerClient
+}
+
+func (m *RendererGRPCClient) Sanitize(ctx context.Context, req *SanitizeRequest, opts ...grpc.CallOption) (*SanitizeResponse, error) {
+	return m.SanitizerClient.Sanitize(ctx, req, opts...)
 }

 func (m *RendererGRPCClient) Render(ctx context.Context, req *RenderRequest, opts ...grpc.CallOption) (*RenderResponse, error) {
@ -32,4 +38,5 @@ func (m *RendererGRPCClient) Render(ctx context.Context, req *RenderRequest, opt
 }

 var _ RendererClient = &RendererGRPCClient{}
+var _ SanitizerClient = &RendererGRPCClient{}
 var _ plugin.GRPCPlugin = &RendererGRPCPlugin{}
--- a/pkg/plugins/backendplugin/pluginextensionv2/rendererv2.pb.go
+++ b/pkg/plugins/backendplugin/pluginextensionv2/rendererv2.pb.go
@ -1,21 +1,20 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.26.0
-// 	protoc        v3.15.8
+// 	protoc-gen-go v1.28.0
+// 	protoc        v3.19.4
 // source: rendererv2.proto

 package pluginextensionv2

 import (
 	context "context"
-	reflect "reflect"
-	sync "sync"
-
 	grpc "google.golang.org/grpc"
 	codes "google.golang.org/grpc/codes"
 	status "google.golang.org/grpc/status"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
 )

 const (
--- a/pkg/plugins/backendplugin/pluginextensionv2/sanitizer.pb.go
+++ b/pkg/plugins/backendplugin/pluginextensionv2/sanitizer.pb.go
@ -0,0 +1,337 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.28.0
+// 	protoc        v3.19.4
+// source: sanitizer.proto
+
+package pluginextensionv2
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type SanitizeRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Filename   string `protobuf:"bytes,1,opt,name=filename,proto3" json:"filename,omitempty"`
+	Content    []byte `protobuf:"bytes,2,opt,name=content,proto3" json:"content,omitempty"`
+	ConfigType string `protobuf:"bytes,3,opt,name=configType,proto3" json:"configType,omitempty"` // DOMPurify, ...
+	Config     []byte `protobuf:"bytes,4,opt,name=config,proto3" json:"config,omitempty"`
+}
+
+func (x *SanitizeRequest) Reset() {
+	*x = SanitizeRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_sanitizer_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SanitizeRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SanitizeRequest) ProtoMessage() {}
+
+func (x *SanitizeRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_sanitizer_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SanitizeRequest.ProtoReflect.Descriptor instead.
+func (*SanitizeRequest) Descriptor() ([]byte, []int) {
+	return file_sanitizer_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *SanitizeRequest) GetFilename() string {
+	if x != nil {
+		return x.Filename
+	}
+	return ""
+}
+
+func (x *SanitizeRequest) GetContent() []byte {
+	if x != nil {
+		return x.Content
+	}
+	return nil
+}
+
+func (x *SanitizeRequest) GetConfigType() string {
+	if x != nil {
+		return x.ConfigType
+	}
+	return ""
+}
+
+func (x *SanitizeRequest) GetConfig() []byte {
+	if x != nil {
+		return x.Config
+	}
+	return nil
+}
+
+type SanitizeResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Error     string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
+	Sanitized []byte `protobuf:"bytes,2,opt,name=sanitized,proto3" json:"sanitized,omitempty"`
+}
+
+func (x *SanitizeResponse) Reset() {
+	*x = SanitizeResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_sanitizer_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SanitizeResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SanitizeResponse) ProtoMessage() {}
+
+func (x *SanitizeResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_sanitizer_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SanitizeResponse.ProtoReflect.Descriptor instead.
+func (*SanitizeResponse) Descriptor() ([]byte, []int) {
+	return file_sanitizer_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *SanitizeResponse) GetError() string {
+	if x != nil {
+		return x.Error
+	}
+	return ""
+}
+
+func (x *SanitizeResponse) GetSanitized() []byte {
+	if x != nil {
+		return x.Sanitized
+	}
+	return nil
+}
+
+var File_sanitizer_proto protoreflect.FileDescriptor
+
+var file_sanitizer_proto_rawDesc = []byte{
+	0x0a, 0x0f, 0x73, 0x61, 0x6e, 0x69, 0x74, 0x69, 0x7a, 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x12, 0x11, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69,
+	0x6f, 0x6e, 0x76, 0x32, 0x22, 0x7f, 0x0a, 0x0f, 0x53, 0x61, 0x6e, 0x69, 0x74, 0x69, 0x7a, 0x65,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x6e,
+	0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x6e,
+	0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x12, 0x1e, 0x0a,
+	0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x54, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x54, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a,
+	0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x63,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x46, 0x0a, 0x10, 0x53, 0x61, 0x6e, 0x69, 0x74, 0x69, 0x7a,
+	0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72,
+	0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x12,
+	0x1c, 0x0a, 0x09, 0x73, 0x61, 0x6e, 0x69, 0x74, 0x69, 0x7a, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x0c, 0x52, 0x09, 0x73, 0x61, 0x6e, 0x69, 0x74, 0x69, 0x7a, 0x65, 0x64, 0x32, 0x60, 0x0a,
+	0x09, 0x53, 0x61, 0x6e, 0x69, 0x74, 0x69, 0x7a, 0x65, 0x72, 0x12, 0x53, 0x0a, 0x08, 0x53, 0x61,
+	0x6e, 0x69, 0x74, 0x69, 0x7a, 0x65, 0x12, 0x22, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x65,
+	0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x76, 0x32, 0x2e, 0x53, 0x61, 0x6e, 0x69, 0x74,
+	0x69, 0x7a, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x70, 0x6c, 0x75,
+	0x67, 0x69, 0x6e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x76, 0x32, 0x2e, 0x53,
+	0x61, 0x6e, 0x69, 0x74, 0x69, 0x7a, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42,
+	0x15, 0x5a, 0x13, 0x2e, 0x3b, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x65, 0x78, 0x74, 0x65, 0x6e,
+	0x73, 0x69, 0x6f, 0x6e, 0x76, 0x32, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_sanitizer_proto_rawDescOnce sync.Once
+	file_sanitizer_proto_rawDescData = file_sanitizer_proto_rawDesc
+)
+
+func file_sanitizer_proto_rawDescGZIP() []byte {
+	file_sanitizer_proto_rawDescOnce.Do(func() {
+		file_sanitizer_proto_rawDescData = protoimpl.X.CompressGZIP(file_sanitizer_proto_rawDescData)
+	})
+	return file_sanitizer_proto_rawDescData
+}
+
+var file_sanitizer_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_sanitizer_proto_goTypes = []interface{}{
+	(*SanitizeRequest)(nil),  // 0: pluginextensionv2.SanitizeRequest
+	(*SanitizeResponse)(nil), // 1: pluginextensionv2.SanitizeResponse
+}
+var file_sanitizer_proto_depIdxs = []int32{
+	0, // 0: pluginextensionv2.Sanitizer.Sanitize:input_type -> pluginextensionv2.SanitizeRequest
+	1, // 1: pluginextensionv2.Sanitizer.Sanitize:output_type -> pluginextensionv2.SanitizeResponse
+	1, // [1:2] is the sub-list for method output_type
+	0, // [0:1] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_sanitizer_proto_init() }
+func file_sanitizer_proto_init() {
+	if File_sanitizer_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_sanitizer_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SanitizeRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_sanitizer_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SanitizeResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_sanitizer_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_sanitizer_proto_goTypes,
+		DependencyIndexes: file_sanitizer_proto_depIdxs,
+		MessageInfos:      file_sanitizer_proto_msgTypes,
+	}.Build()
+	File_sanitizer_proto = out.File
+	file_sanitizer_proto_rawDesc = nil
+	file_sanitizer_proto_goTypes = nil
+	file_sanitizer_proto_depIdxs = nil
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConnInterface
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion6
+
+// SanitizerClient is the client API for Sanitizer service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
+type SanitizerClient interface {
+	Sanitize(ctx context.Context, in *SanitizeRequest, opts ...grpc.CallOption) (*SanitizeResponse, error)
+}
+
+type sanitizerClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewSanitizerClient(cc grpc.ClientConnInterface) SanitizerClient {
+	return &sanitizerClient{cc}
+}
+
+func (c *sanitizerClient) Sanitize(ctx context.Context, in *SanitizeRequest, opts ...grpc.CallOption) (*SanitizeResponse, error) {
+	out := new(SanitizeResponse)
+	err := c.cc.Invoke(ctx, "/pluginextensionv2.Sanitizer/Sanitize", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// SanitizerServer is the server API for Sanitizer service.
+type SanitizerServer interface {
+	Sanitize(context.Context, *SanitizeRequest) (*SanitizeResponse, error)
+}
+
+// UnimplementedSanitizerServer can be embedded to have forward compatible implementations.
+type UnimplementedSanitizerServer struct {
+}
+
+func (*UnimplementedSanitizerServer) Sanitize(context.Context, *SanitizeRequest) (*SanitizeResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Sanitize not implemented")
+}
+
+func RegisterSanitizerServer(s *grpc.Server, srv SanitizerServer) {
+	s.RegisterService(&_Sanitizer_serviceDesc, srv)
+}
+
+func _Sanitizer_Sanitize_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SanitizeRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SanitizerServer).Sanitize(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/pluginextensionv2.Sanitizer/Sanitize",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SanitizerServer).Sanitize(ctx, req.(*SanitizeRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _Sanitizer_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "pluginextensionv2.Sanitizer",
+	HandlerType: (*SanitizerServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Sanitize",
+			Handler:    _Sanitizer_Sanitize_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "sanitizer.proto",
+}
--- a/pkg/plugins/backendplugin/pluginextensionv2/sanitizer.proto
+++ b/pkg/plugins/backendplugin/pluginextensionv2/sanitizer.proto
@ -0,0 +1,20 @@
+syntax = "proto3";
+package pluginextensionv2;
+
+option go_package = ".;pluginextensionv2";
+
+message SanitizeRequest {
+  string filename = 1;
+  bytes content = 2;
+  string configType = 3; // DOMPurify, ...
+  bytes config = 4;
+}
+
+message SanitizeResponse {
+  string error = 1;
+  bytes sanitized = 2;
+}
+
+service Sanitizer {
+  rpc Sanitize(SanitizeRequest) returns (SanitizeResponse);
+}
--- a/pkg/server/backgroundsvcs/background_services.go
+++ b/pkg/server/backgroundsvcs/background_services.go
@ -25,6 +25,7 @@ import (
 	secretsManager "github.com/grafana/grafana/pkg/services/secrets/manager"
 	"github.com/grafana/grafana/pkg/services/serviceaccounts"
 	"github.com/grafana/grafana/pkg/services/store"
+	"github.com/grafana/grafana/pkg/services/store/sanitizer"
 	"github.com/grafana/grafana/pkg/services/thumbs"
 	"github.com/grafana/grafana/pkg/services/updatechecker"
 )
@ -41,7 +42,7 @@ func ProvideBackgroundServiceRegistry(
 	// Need to make sure these are initialized, is there a better place to put them?
 	_ dashboardsnapshots.Service, _ *alerting.AlertNotificationService,
 	_ serviceaccounts.Service, _ *guardian.Provider,
-	_ *plugindashboardsservice.DashboardUpdater,
+	_ *plugindashboardsservice.DashboardUpdater, _ *sanitizer.Provider,
 ) *BackgroundServiceRegistry {
 	return NewBackgroundServiceRegistry(
 		httpServer,
--- a/pkg/server/wire.go
+++ b/pkg/server/wire.go
@ -6,6 +6,7 @@ package server
 import (
 	"github.com/google/wire"
 	sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
+	"github.com/grafana/grafana/pkg/services/store/sanitizer"

 	"github.com/grafana/grafana/pkg/api"
 	"github.com/grafana/grafana/pkg/api/avatar"
@ -263,6 +264,7 @@ var wireBasicSet = wire.NewSet(
 	wire.Bind(new(alerting.DashAlertExtractor), new(*alerting.DashAlertExtractorService)),
 	comments.ProvideService,
 	guardian.ProvideService,
+	sanitizer.ProvideService,
 	secretsStore.ProvideService,
 	avatar.ProvideAvatarCacheServer,
 	authproxy.ProvideAuthProxy,
--- a/pkg/services/alerting/notifier_test.go
+++ b/pkg/services/alerting/notifier_test.go
@ -339,6 +339,10 @@ type testRenderService struct {
 	renderErrorImageProvider func(error error) (*rendering.RenderResult, error)
 }

+func (s *testRenderService) SanitizeSVG(ctx context.Context, req *rendering.SanitizeSVGRequest) (*rendering.SanitizeSVGResponse, error) {
+	return &rendering.SanitizeSVGResponse{Sanitized: req.Content}, nil
+}
+
 func (s *testRenderService) HasCapability(feature rendering.CapabilityName) (rendering.CapabilitySupportRequestResult, error) {
 	return rendering.CapabilitySupportRequestResult{}, nil
 }
--- a/pkg/services/rendering/capabilities.go
+++ b/pkg/services/rendering/capabilities.go
@ -16,6 +16,7 @@ type CapabilityName string
 const (
 	ScalingDownImages CapabilityName = "ScalingDownImages"
 	FullHeightImages  CapabilityName = "FullHeightImages"
+	SvgSanitization   CapabilityName = "SvgSanitization"
 )

 var ErrUnknownCapability = errors.New("unknown capability")
--- a/pkg/services/rendering/interface.go
+++ b/pkg/services/rendering/interface.go
@ -62,6 +62,15 @@ type ErrorOpts struct {
 	ErrorRenderUnavailable bool
 }

+type SanitizeSVGRequest struct {
+	Filename string
+	Content  []byte
+}
+
+type SanitizeSVGResponse struct {
+	Sanitized []byte
+}
+
 type CSVOpts struct {
 	TimeoutOpts
 	AuthOpts
@ -83,6 +92,7 @@ type RenderCSVResult struct {

 type renderFunc func(ctx context.Context, renderKey string, options Opts) (*RenderResult, error)
 type renderCSVFunc func(ctx context.Context, renderKey string, options CSVOpts) (*RenderCSVResult, error)
+type sanitizeFunc func(ctx context.Context, req *SanitizeSVGRequest) (*SanitizeSVGResponse, error)

 type renderKeyProvider interface {
 	get(ctx context.Context, opts AuthOpts) (string, error)
@ -114,4 +124,5 @@ type Service interface {
 	GetRenderUser(ctx context.Context, key string) (*RenderUser, bool)
 	HasCapability(capability CapabilityName) (CapabilitySupportRequestResult, error)
 	CreateRenderingSession(ctx context.Context, authOpts AuthOpts, sessionOpts SessionOpts) (Session, error)
+	SanitizeSVG(ctx context.Context, req *SanitizeSVGRequest) (*SanitizeSVGResponse, error)
 }
--- a/pkg/services/rendering/mock.go
+++ b/pkg/services/rendering/mock.go
@ -139,6 +139,21 @@ func (mr *MockServiceMockRecorder) RenderErrorImage(arg0, arg1 interface{}) *gom
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RenderErrorImage", reflect.TypeOf((*MockService)(nil).RenderErrorImage), arg0, arg1)
 }

+// SanitizeSVG mocks base method.
+func (m *MockService) SanitizeSVG(arg0 context.Context, arg1 *SanitizeSVGRequest) (*SanitizeSVGResponse, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SanitizeSVG", arg0, arg1)
+	ret0, _ := ret[0].(*SanitizeSVGResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// SanitizeSVG indicates an expected call of SanitizeSVG.
+func (mr *MockServiceMockRecorder) SanitizeSVG(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SanitizeSVG", reflect.TypeOf((*MockService)(nil).SanitizeSVG), arg0, arg1)
+}
+
 // Version mocks base method.
 func (m *MockService) Version() string {
 	m.ctrl.T.Helper()
--- a/pkg/services/rendering/rendering.go
+++ b/pkg/services/rendering/rendering.go
@ -27,6 +27,8 @@ func init() {
 	remotecache.Register(&RenderUser{})
 }

+var _ Service = (*RenderingService)(nil)
+
 const ServiceName = "RenderingService"

 type RenderingService struct {
@ -34,6 +36,8 @@ type RenderingService struct {
 	pluginInfo        *plugins.Plugin
 	renderAction      renderFunc
 	renderCSVAction   renderCSVFunc
+	sanitizeSVGAction sanitizeFunc
+	sanitizeURL       string
 	domain            string
 	inProgressCount   int32
 	version           string
@ -59,8 +63,14 @@ func ProvideService(cfg *setting.Cfg, remoteCache *remotecache.RemoteCache, rm p
 		return nil, fmt.Errorf("failed to create CSVs directory %q: %w", cfg.CSVsDir, err)
 	}

+	logger := log.New("rendering")
+
+	// URL for HTTP sanitize API
+	var sanitizeURL string
+
+	//  value used for domain attribute of renderKey cookie
 	var domain string
-	// set value used for domain attribute of renderKey cookie
+
 	switch {
 	case cfg.RendererUrl != "":
 		// RendererCallbackUrl has already been passed, it won't generate an error.
@ -69,6 +79,7 @@ func ProvideService(cfg *setting.Cfg, remoteCache *remotecache.RemoteCache, rm p
 			return nil, err
 		}

+		sanitizeURL = getSanitizerURL(cfg.RendererUrl)
 		domain = u.Hostname()
 	case cfg.HTTPAddr != setting.DefaultHTTPAddr:
 		domain = cfg.HTTPAddr
@ -76,7 +87,6 @@ func ProvideService(cfg *setting.Cfg, remoteCache *remotecache.RemoteCache, rm p
 		domain = "localhost"
 	}

-	logger := log.New("rendering")
 	s := &RenderingService{
 		perRequestRenderKeyProvider: &perRequestRenderKeyProvider{
 			cache:     remoteCache,
@ -92,16 +102,26 @@ func ProvideService(cfg *setting.Cfg, remoteCache *remotecache.RemoteCache, rm p
 				name:             ScalingDownImages,
 				semverConstraint: ">= 3.4.0",
 			},
+			{
+				name:             SvgSanitization,
+				semverConstraint: ">= 3.5.0",
+			},
 		},
 		Cfg:                   cfg,
 		RemoteCacheService:    remoteCache,
 		RendererPluginManager: rm,
 		log:                   logger,
 		domain:                domain,
+		sanitizeURL:           sanitizeURL,
 	}
 	return s, nil
 }

+func getSanitizerURL(rendererURL string) string {
+	rendererBaseURL := strings.TrimSuffix(rendererURL, "/render")
+	return rendererBaseURL + "/sanitize"
+}
+
 func (rs *RenderingService) Run(ctx context.Context) error {
 	if rs.remoteAvailable() {
 		rs.log = rs.log.New("renderer", "http")
@ -120,6 +140,7 @@ func (rs *RenderingService) Run(ctx context.Context) error {
 		})
 		rs.renderAction = rs.renderViaHTTP
 		rs.renderCSVAction = rs.renderCSVViaHTTP
+		rs.sanitizeSVGAction = rs.sanitizeViaHTTP

 		refreshTicker := time.NewTicker(remoteVersionRefreshInterval)

@ -146,6 +167,7 @@ func (rs *RenderingService) Run(ctx context.Context) error {
 		rs.version = rs.pluginInfo.Info.Version
 		rs.renderAction = rs.renderViaPlugin
 		rs.renderCSVAction = rs.renderCSVViaPlugin
+		rs.sanitizeSVGAction = rs.sanitizeSVGViaPlugin
 		<-ctx.Done()

 		// On Windows, Chromium is generating a debug.log file that breaks signature check on next restart
@ -293,6 +315,26 @@ func (rs *RenderingService) RenderCSV(ctx context.Context, opts CSVOpts, session
 	return result, err
 }

+func (rs *RenderingService) SanitizeSVG(ctx context.Context, req *SanitizeSVGRequest) (*SanitizeSVGResponse, error) {
+	capability, err := rs.HasCapability(SvgSanitization)
+	if err != nil {
+		return nil, err
+	}
+
+	if !capability.IsSupported {
+		return nil, fmt.Errorf("svg sanitization unsupported, requires image renderer version: %s", capability.SemverConstraint)
+	}
+
+	start := time.Now()
+
+	action, err := rs.sanitizeSVGAction(ctx, req)
+	if err != nil {
+		defer rs.log.Info("svg sanitization finished", "duration", time.Since(start), "filename", req.Filename, "isError", err != nil)
+	}
+
+	return action, err
+}
+
 func (rs *RenderingService) renderCSV(ctx context.Context, opts CSVOpts, renderKeyProvider renderKeyProvider) (*RenderCSVResult, error) {
 	if int(atomic.LoadInt32(&rs.inProgressCount)) > opts.ConcurrentLimit {
 		return nil, ErrConcurrentLimitReached
--- a/pkg/services/rendering/svgSanitizer.go
+++ b/pkg/services/rendering/svgSanitizer.go
@ -0,0 +1,178 @@
+package rendering
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"mime/multipart"
+	"net/http"
+	"net/textproto"
+	"net/url"
+	"time"
+
+	"github.com/grafana/grafana/pkg/plugins/backendplugin/pluginextensionv2"
+)
+
+var (
+	domPurifySvgConfig = map[string]interface{}{
+		// domPurifyConfig is passed directly to DOMPurify https://github.com/cure53/DOMPurify#can-i-configure-dompurify
+		"domPurifyConfig": map[string]interface{}{
+			"USE_PROFILES": map[string]bool{"svg": true, "svgFilters": true},
+			"ADD_TAGS":     []string{"use"},
+		},
+		// allowAllLinksInSvgUseTags will preserve all `use` tags.
+		// By default, we remove all non-self-referential `use` tags, i.e. those which `href` attribute does not start with `#`
+		"allowAllLinksInSvgUseTags": false,
+	}
+	domPurifyConfigType = "DOMPurify"
+)
+
+type formFile struct {
+	fileName    string
+	key         string
+	contentType string
+	content     io.Reader
+}
+
+func createMultipartRequestBody(values []formFile) (bytes.Buffer, string, error) {
+	var b bytes.Buffer
+	w := multipart.NewWriter(&b)
+	for _, f := range values {
+		h := make(textproto.MIMEHeader)
+		h.Set("Content-Disposition", fmt.Sprintf(`form-data; name="%s"; filename="%s"`, f.key, f.fileName))
+		h.Set("Content-Type", f.contentType)
+		formWriter, err := w.CreatePart(h)
+
+		if err != nil {
+			return bytes.Buffer{}, "", err
+		}
+
+		if _, err := io.Copy(formWriter, f.content); err != nil {
+			return bytes.Buffer{}, "", err
+		}
+
+		if x, ok := f.content.(io.Closer); ok {
+			_ = x.Close()
+		}
+	}
+
+	if err := w.Close(); err != nil {
+		return bytes.Buffer{}, "", err
+	}
+
+	return b, w.FormDataContentType(), nil
+}
+
+func (rs *RenderingService) sanitizeViaHTTP(ctx context.Context, req *SanitizeSVGRequest) (*SanitizeSVGResponse, error) {
+	sanitizerUrl, err := url.Parse(rs.sanitizeURL)
+	if err != nil {
+		return nil, err
+	}
+
+	configJson, err := json.Marshal(map[string]interface{}{
+		"config":     domPurifySvgConfig,
+		"configType": domPurifyConfigType,
+	})
+	if err != nil {
+		rs.log.Error("Sanitizer - HTTP: failed to create the request config", "error", err, "filename", req.Filename)
+		return nil, fmt.Errorf("config creation fail: %s", err)
+	}
+
+	body, contentType, err := createMultipartRequestBody([]formFile{
+		{
+			fileName:    "config",
+			key:         "config",
+			contentType: "application/json",
+			content:     bytes.NewReader(configJson),
+		},
+		{
+			fileName:    req.Filename,
+			key:         "file",
+			contentType: "image/svg+xml",
+			content:     bytes.NewReader(req.Content),
+		},
+	})
+	if err != nil {
+		rs.log.Error("Sanitizer - HTTP: failed to create the request body", "error", err, "filename", req.Filename)
+		return nil, fmt.Errorf("body creation fail: %s", err)
+	}
+
+	reqContext, cancel := context.WithTimeout(ctx, 10*time.Second)
+	defer cancel()
+	httpReq, err := http.NewRequestWithContext(reqContext, "POST", sanitizerUrl.String(), &body)
+	if err != nil {
+		rs.log.Error("Sanitizer - HTTP: failed to create the HTTP request", "error", err, "filename", req.Filename)
+		return nil, err
+	}
+
+	httpReq.Header.Set("User-Agent", fmt.Sprintf("Grafana/%s", rs.Cfg.BuildVersion))
+	httpReq.Header.Set("Content-Type", contentType)
+
+	rs.log.Debug("Sanitizer - HTTP: calling", "filename", req.Filename, "contentLength", len(req.Content), "url", sanitizerUrl)
+	// make request to renderer server
+	resp, err := netClient.Do(httpReq)
+	if err != nil {
+		rs.log.Error("Sanitizer - HTTP: failed to send request", "error", err)
+		return nil, fmt.Errorf("sanitizer - HTTP: failed to send request: %w", err)
+	}
+
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			rs.log.Error("Sanitizer - HTTP: failed to close response body", "statusCode", resp.StatusCode, "error", err)
+		}
+	}()
+
+	if resp.StatusCode != http.StatusOK {
+		if body, err := io.ReadAll(resp.Body); body != nil {
+			rs.log.Error("Sanitizer - HTTP: failed to sanitize", "statusCode", resp.StatusCode, "error", err, "resp", string(body))
+		} else {
+			rs.log.Error("Sanitizer - HTTP: failed to sanitize", "statusCode", resp.StatusCode, "error", err)
+		}
+		return nil, fmt.Errorf("sanitizer - HTTP: failed to sanitize %s", req.Filename)
+	}
+
+	sanitized, err := io.ReadAll(resp.Body)
+	if err != nil {
+		rs.log.Error("Sanitizer - HTTP: failed to read response body", "error", err, "filename", req.Filename)
+		return nil, fmt.Errorf("sanitizer - HTTP: failed to read response body: %s", err)
+	}
+
+	return &SanitizeSVGResponse{Sanitized: sanitized}, nil
+}
+
+func (rs *RenderingService) sanitizeSVGViaPlugin(ctx context.Context, req *SanitizeSVGRequest) (*SanitizeSVGResponse, error) {
+	ctx, cancel := context.WithTimeout(ctx, time.Second*20)
+	defer cancel()
+
+	domPurifyConfig, err := json.Marshal(domPurifySvgConfig)
+	if err != nil {
+		rs.log.Error("Sanitizer - plugin: failed to parse domPurifyConfig")
+		return nil, fmt.Errorf("sanitizer - plugin: failed to parse domPurifyConfig %s", err)
+	}
+	grpcReq := &pluginextensionv2.SanitizeRequest{
+		Filename:   req.Filename,
+		Content:    req.Content,
+		ConfigType: domPurifyConfigType,
+		Config:     domPurifyConfig,
+	}
+	rs.log.Debug("Sanitizer - plugin: calling", "filename", req.Filename, "contentLength", len(req.Content))
+
+	rsp, err := rs.pluginInfo.Renderer.Sanitize(ctx, grpcReq)
+	if err != nil {
+		if errors.Is(ctx.Err(), context.DeadlineExceeded) {
+			rs.log.Info("Sanitizer - plugin: time out")
+			return nil, ErrTimeout
+		}
+
+		return nil, err
+	}
+
+	if rsp.Error != "" {
+		return nil, fmt.Errorf("sanitizer - plugin: failed to sanitize: %s", rsp.Error)
+	}
+
+	return &SanitizeSVGResponse{Sanitized: rsp.Sanitized}, nil
+}
--- a/pkg/services/store/http.go
+++ b/pkg/services/store/http.go
@ -126,6 +126,11 @@ func (s *httpStorage) Read(c *models.ReqContext) response.Response {
 	if err != nil {
 		return response.Error(400, "cannot call read", err)
 	}
+
+	if file == nil || file.Contents == nil {
+		return response.Error(404, "file does not exist", err)
+	}
+
 	// set the correct content type for svg
 	if strings.HasSuffix(path, ".svg") {
 		c.Resp.Header().Set("Content-Type", "image/svg+xml")
--- a/pkg/services/store/sanitize.go
+++ b/pkg/services/store/sanitize.go
@ -6,20 +6,44 @@ import (

 	"github.com/grafana/grafana/pkg/infra/filestorage"
 	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/services/rendering"
+	"github.com/grafana/grafana/pkg/services/store/sanitizer"
 )

-func (s *standardStorageService) sanitizeUploadRequest(ctx context.Context, user *models.SignedInUser, req *UploadRequest, storagePath string) (*filestorage.UpsertFileCommand, error) {
+func (s *standardStorageService) sanitizeContents(ctx context.Context, user *models.SignedInUser, req *UploadRequest, storagePath string) ([]byte, error) {
 	if req.EntityType == EntityTypeImage {
 		ext := filepath.Ext(req.Path)
-		//nolint: staticcheck
 		if ext == ".svg" {
-			// TODO: sanitize svg
+			resp, err := sanitizer.SanitizeSVG(ctx, &rendering.SanitizeSVGRequest{
+				Filename: storagePath,
+				Content:  req.Contents,
+			})
+			if err != nil {
+				if s.cfg.allowUnsanitizedSvgUpload {
+					grafanaStorageLogger.Debug("allowing unsanitized svg upload", "filename", req.Path, "sanitizationError", err)
+					return req.Contents, nil
+				} else {
+					grafanaStorageLogger.Debug("disallowing unsanitized svg upload", "filename", req.Path, "sanitizationError", err)
+					return nil, err
 				}
 			}

+			return resp.Sanitized, nil
+		}
+	}
+
+	return req.Contents, nil
+}
+
+func (s *standardStorageService) sanitizeUploadRequest(ctx context.Context, user *models.SignedInUser, req *UploadRequest, storagePath string) (*filestorage.UpsertFileCommand, error) {
+	contents, err := s.sanitizeContents(ctx, user, req, storagePath)
+	if err != nil {
+		return nil, err
+	}
+
 	return &filestorage.UpsertFileCommand{
 		Path:               storagePath,
-		Contents:           req.Contents,
+		Contents:           contents,
 		MimeType:           req.MimeType,
 		CacheControl:       req.CacheControl,
 		ContentDisposition: req.ContentDisposition,
--- a/pkg/services/store/sanitizer/Provider.go
+++ b/pkg/services/store/sanitizer/Provider.go
@ -0,0 +1,23 @@
+package sanitizer
+
+import (
+	"context"
+	"errors"
+
+	"github.com/grafana/grafana/pkg/services/rendering"
+)
+
+// workaround for cyclic dep between the store and the renderer
+
+type Provider struct{}
+
+var SanitizeSVG = func(ctx context.Context, req *rendering.SanitizeSVGRequest) (*rendering.SanitizeSVGResponse, error) {
+	return nil, errors.New("not implemented")
+}
+
+func ProvideService(
+	renderer rendering.Service,
+) *Provider {
+	SanitizeSVG = renderer.SanitizeSVG
+	return &Provider{}
+}
--- a/pkg/services/store/service.go
+++ b/pkg/services/store/service.go
@ -48,9 +48,14 @@ type StorageService interface {
 	sanitizeUploadRequest(ctx context.Context, user *models.SignedInUser, req *UploadRequest, storagePath string) (*filestorage.UpsertFileCommand, error)
 }

+type storageServiceConfig struct {
+	allowUnsanitizedSvgUpload bool
+}
+
 type standardStorageService struct {
 	sql  *sqlstore.SQLStore
 	tree *nestedTree
+	cfg  storageServiceConfig
 }

 func ProvideService(sql *sqlstore.SQLStore, features featuremgmt.FeatureToggles, cfg *setting.Cfg) StorageService {
@ -83,6 +88,9 @@ func ProvideService(sql *sqlstore.SQLStore, features featuremgmt.FeatureToggles,

 	s := newStandardStorageService(globalRoots, initializeOrgStorages)
 	s.sql = sql
+	s.cfg = storageServiceConfig{
+		allowUnsanitizedSvgUpload: false,
+	}
 	return s
 }

--- a/pkg/services/store/utils.go
+++ b/pkg/services/store/utils.go
@ -1,7 +1,6 @@
 package store

 import (
-	"path/filepath"
 	"strings"

 	"github.com/grafana/grafana/pkg/models"
@ -27,5 +26,5 @@ func getPathAndScope(c *models.ReqContext) (string, string) {
 	if path == "" {
 		return "", ""
 	}
-	return splitFirstSegment(filepath.Clean(path))
+	return splitFirstSegment(path)
 }
--- a/pkg/services/store/validate.go
+++ b/pkg/services/store/validate.go
@ -13,6 +13,7 @@ var (
 	allowedImageExtensions = map[string]bool{
 		".jpg":  true,
 		".jpeg": true,
+		".svg":  true,
 		".gif":  true,
 		".png":  true,
 		".webp": true,
@ -23,6 +24,7 @@ var (
 		".gif":  {"image/gif": true},
 		".png":  {"image/png": true},
 		".webp": {"image/webp": true},
+		".svg":  {"text/xml; charset=utf-8": true, "text/plain; charset=utf-8": true, "image/svg+xml": true},
 	}
 )

@ -68,7 +70,7 @@ func (s *standardStorageService) validateUploadRequest(ctx context.Context, user
 	// TODO: validateProperties

 	if err := filestorage.ValidatePath(storagePath); err != nil {
-		return fail("path validation failed: " + err.Error())
+		return fail("path validation failed. error:" + err.Error() + ". path: " + storagePath)
 	}

 	switch req.EntityType {