Canvas: Allow API calls to grafana origin (#91822)

* allow post URL * check for config * allow relative paths * add allowed internal pattern; add checks for method * update defaults.ini * add custom header * update config comment * use globbing, switch to older middleware - deprecated call * add codeowner * update to use current api, add test * update fall through logic * Update pkg/middleware/validate_action_url.go Co-authored-by: Dan Cech <dcech@grafana.com> * Update pkg/middleware/validate_action_url.go Co-authored-by: Dan Cech <dcech@grafana.com> * add more tests * Update pkg/middleware/validate_action_url_test.go Co-authored-by: Dan Cech <dcech@grafana.com> * fix request headers * add additional tests for all verbs * fix request headers++ * throw error when method is unknown --------- Co-authored-by: Ryan McKinley <ryantxu@gmail.com> Co-authored-by: Brian Gann <bkgann@gmail.com> Co-authored-by: Brian Gann <briangann@users.noreply.github.com> Co-authored-by: Dan Cech <dcech@grafana.com>
2025-08-03 01:12:22 +08:00 · 2024-09-10 08:45:27 -06:00
parent 462560d544
commit f64b121ddb
8 changed files with 476 additions and 35 deletions
--- a/pkg/middleware/middleware_test.go
+++ b/pkg/middleware/middleware_test.go
@ -244,6 +244,8 @@ func middlewareScenario(t *testing.T, desc string, fn scenarioFunc, cbs ...func(
 		ctxHdlr := getContextHandler(t, cfg, sc.authnService)
 		sc.m.Use(ctxHdlr.Middleware)
 		sc.m.Use(OrgRedirect(sc.cfg, sc.userService))
+		// handle action urls
+		sc.m.Use(ValidateActionUrl(sc.cfg, logger))

 		sc.defaultHandler = func(c *contextmodel.ReqContext) {
 			require.NotNil(t, c)