grafana/pkg/services/store/validate.go

package store

import (
	"context"
	"encoding/json"
	"fmt"
	"net/http"
	"path/filepath"
	"strings"

	"github.com/grafana/grafana/pkg/infra/filestorage"
	"github.com/grafana/grafana/pkg/services/user"
	"github.com/grafana/grafana/pkg/util"
)

var (
	allowedImageExtensions = map[string]bool{
		".jpg":  true,
		".jpeg": true,
		".svg":  true,
		".gif":  true,
		".png":  true,
		".webp": true,
	}
	imageExtensionsToMatchingMimeTypes = map[string]map[string]bool{
		".jpg":  {"image/jpg": true, "image/jpeg": true},
		".jpeg": {"image/jpg": true, "image/jpeg": true},
		".gif":  {"image/gif": true},
		".png":  {"image/png": true},
		".webp": {"image/webp": true},
		".svg":  {"image/svg+xml": true},
	}
)

type validationResult struct {
	ok     bool
	reason string
}

func success() validationResult {
	return validationResult{
		ok: true,
	}
}

func fail(reason string) validationResult {
	return validationResult{
		ok:     false,
		reason: reason,
	}
}

func (s *standardStorageService) detectMimeType(ctx context.Context, user *user.SignedInUser, uploadRequest *UploadRequest) string {
	if strings.HasSuffix(uploadRequest.Path, ".svg") {
		if util.IsSVG(uploadRequest.Contents) {
			return "image/svg+xml"
		}
	}

	return http.DetectContentType(uploadRequest.Contents)
}

func (s *standardStorageService) validateImage(ctx context.Context, user *user.SignedInUser, uploadRequest *UploadRequest) validationResult {
	ext := filepath.Ext(uploadRequest.Path)
	if !allowedImageExtensions[ext] {
		return fail(fmt.Sprintf("unsupported extension: %s", ext))
	}

	mimeType := s.detectMimeType(ctx, user, uploadRequest)
	if !imageExtensionsToMatchingMimeTypes[ext][mimeType] {
		return fail(fmt.Sprintf("extension '%s' does not match the detected MimeType: %s", ext, mimeType))
	}

	return success()
}

func (s *standardStorageService) validateUploadRequest(ctx context.Context, user *user.SignedInUser, req *UploadRequest, storagePath string) validationResult {
	// TODO: validateSize
	// TODO: validateProperties

	if err := filestorage.ValidatePath(storagePath); err != nil {
		return fail(fmt.Sprintf("path validation failed. error: %s. path: %s", err.Error(), storagePath))
	}

	switch req.EntityType {
	case EntityTypeJSON:
		fallthrough
	case EntityTypeFolder:
		fallthrough
	case EntityTypeDashboard:
		// TODO: add proper validation
		if !json.Valid(req.Contents) {
			return fail("invalid json")
		}
		return success()
	case EntityTypeImage:
		return s.validateImage(ctx, user, req)
	default:
		return fail("unknown entity")
	}
}
Storage: validation and sanitization stubs (#50523) * add `IsPathValidationError` util to fs api * refactor storage.Upload method * remove unused struct * extract `RootUpload` constant * move file validation outside of the service * Make UploadErrorToStatusCode exported * validation/sanitization * refactor pathValidationError check * refactor, rename sanitize to transform * add a todo * refactor * transform -> sanitize * lint fix * #50608: fix jpg/jpeg Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com> 2022-06-15 03:32:29 -05:00			`package store`

			`import (`
			`"context"`
			`"encoding/json"`
Storage: Mime type detection (#52512) * Storage: implement mime type detection * lint 2022-07-25 02:30:20 -05:00			`"fmt"`
			`"net/http"`
Storage: validation and sanitization stubs (#50523) * add `IsPathValidationError` util to fs api * refactor storage.Upload method * remove unused struct * extract `RootUpload` constant * move file validation outside of the service * Make UploadErrorToStatusCode exported * validation/sanitization * refactor pathValidationError check * refactor, rename sanitize to transform * add a todo * refactor * transform -> sanitize * lint fix * #50608: fix jpg/jpeg Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com> 2022-06-15 03:32:29 -05:00			`"path/filepath"`
Storage: Mime type detection (#52512) * Storage: implement mime type detection * lint 2022-07-25 02:30:20 -05:00			`"strings"`
Storage: validation and sanitization stubs (#50523) * add `IsPathValidationError` util to fs api * refactor storage.Upload method * remove unused struct * extract `RootUpload` constant * move file validation outside of the service * Make UploadErrorToStatusCode exported * validation/sanitization * refactor pathValidationError check * refactor, rename sanitize to transform * add a todo * refactor * transform -> sanitize * lint fix * #50608: fix jpg/jpeg Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com> 2022-06-15 03:32:29 -05:00
			`"github.com/grafana/grafana/pkg/infra/filestorage"`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			`"github.com/grafana/grafana/pkg/services/user"`
Chore: remove the entity kind registry (#79178) 2023-12-06 16:00:53 -06:00			`"github.com/grafana/grafana/pkg/util"`
Storage: validation and sanitization stubs (#50523) * add `IsPathValidationError` util to fs api * refactor storage.Upload method * remove unused struct * extract `RootUpload` constant * move file validation outside of the service * Make UploadErrorToStatusCode exported * validation/sanitization * refactor pathValidationError check * refactor, rename sanitize to transform * add a todo * refactor * transform -> sanitize * lint fix * #50608: fix jpg/jpeg Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com> 2022-06-15 03:32:29 -05:00			`)`

			`var (`
			`allowedImageExtensions = map[string]bool{`
			`".jpg": true,`
			`".jpeg": true,`
Renderer: Add sanitize API (#50936) * svg fun * #50597: add proto * #50597: add sanitizer methods * #50597: add provider * #50597: use sanitizer * #50597: use sanitizer * update grafana to match new api * add comments * add capability check * add timing * update sanitize path * improve log message * strings.HasPrefix rather than filepath.IsAbs * filepath.Clean + filepath.ToSlash for windows * read 404 * remove `path.clean` from `getPathAndScope` * add resp body close * remove unneeded prop * Update pkg/services/rendering/rendering.go Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> * remove test files * filepath.ToSlash correct wrapping * filepath.ToSlash correct wrapping * filepath.ToSlash comment * compilation error * lint fix * fix error message * Update pkg/services/rendering/rendering.go Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> * add `image/svg+xml` mime type * refactored log * refactored log Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> 2022-07-07 06:32:18 -05:00			`".svg": true,`
Storage: validation and sanitization stubs (#50523) * add `IsPathValidationError` util to fs api * refactor storage.Upload method * remove unused struct * extract `RootUpload` constant * move file validation outside of the service * Make UploadErrorToStatusCode exported * validation/sanitization * refactor pathValidationError check * refactor, rename sanitize to transform * add a todo * refactor * transform -> sanitize * lint fix * #50608: fix jpg/jpeg Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com> 2022-06-15 03:32:29 -05:00			`".gif": true,`
			`".png": true,`
			`".webp": true,`
			`}`
			`imageExtensionsToMatchingMimeTypes = map[string]map[string]bool{`
			`".jpg": {"image/jpg": true, "image/jpeg": true},`
			`".jpeg": {"image/jpg": true, "image/jpeg": true},`
			`".gif": {"image/gif": true},`
			`".png": {"image/png": true},`
			`".webp": {"image/webp": true},`
Storage: Mime type detection (#52512) * Storage: implement mime type detection * lint 2022-07-25 02:30:20 -05:00			`".svg": {"image/svg+xml": true},`
Storage: validation and sanitization stubs (#50523) * add `IsPathValidationError` util to fs api * refactor storage.Upload method * remove unused struct * extract `RootUpload` constant * move file validation outside of the service * Make UploadErrorToStatusCode exported * validation/sanitization * refactor pathValidationError check * refactor, rename sanitize to transform * add a todo * refactor * transform -> sanitize * lint fix * #50608: fix jpg/jpeg Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com> 2022-06-15 03:32:29 -05:00			`}`
			`)`

			`type validationResult struct {`
			`ok bool`
			`reason string`
			`}`

			`func success() validationResult {`
			`return validationResult{`
			`ok: true,`
			`}`
			`}`

			`func fail(reason string) validationResult {`
			`return validationResult{`
			`ok: false,`
			`reason: reason,`
			`}`
			`}`

Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			`func (s standardStorageService) detectMimeType(ctx context.Context, user user.SignedInUser, uploadRequest *UploadRequest) string {`
Storage: Mime type detection (#52512) * Storage: implement mime type detection * lint 2022-07-25 02:30:20 -05:00			`if strings.HasSuffix(uploadRequest.Path, ".svg") {`
Chore: remove the entity kind registry (#79178) 2023-12-06 16:00:53 -06:00			`if util.IsSVG(uploadRequest.Contents) {`
Storage: Mime type detection (#52512) * Storage: implement mime type detection * lint 2022-07-25 02:30:20 -05:00			`return "image/svg+xml"`
			`}`
			`}`

			`return http.DetectContentType(uploadRequest.Contents)`
Storage: validation and sanitization stubs (#50523) * add `IsPathValidationError` util to fs api * refactor storage.Upload method * remove unused struct * extract `RootUpload` constant * move file validation outside of the service * Make UploadErrorToStatusCode exported * validation/sanitization * refactor pathValidationError check * refactor, rename sanitize to transform * add a todo * refactor * transform -> sanitize * lint fix * #50608: fix jpg/jpeg Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com> 2022-06-15 03:32:29 -05:00			`}`

Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			`func (s standardStorageService) validateImage(ctx context.Context, user user.SignedInUser, uploadRequest *UploadRequest) validationResult {`
Storage: validation and sanitization stubs (#50523) * add `IsPathValidationError` util to fs api * refactor storage.Upload method * remove unused struct * extract `RootUpload` constant * move file validation outside of the service * Make UploadErrorToStatusCode exported * validation/sanitization * refactor pathValidationError check * refactor, rename sanitize to transform * add a todo * refactor * transform -> sanitize * lint fix * #50608: fix jpg/jpeg Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com> 2022-06-15 03:32:29 -05:00			`ext := filepath.Ext(uploadRequest.Path)`
			`if !allowedImageExtensions[ext] {`
Storage: Mime type detection (#52512) * Storage: implement mime type detection * lint 2022-07-25 02:30:20 -05:00			`return fail(fmt.Sprintf("unsupported extension: %s", ext))`
Storage: validation and sanitization stubs (#50523) * add `IsPathValidationError` util to fs api * refactor storage.Upload method * remove unused struct * extract `RootUpload` constant * move file validation outside of the service * Make UploadErrorToStatusCode exported * validation/sanitization * refactor pathValidationError check * refactor, rename sanitize to transform * add a todo * refactor * transform -> sanitize * lint fix * #50608: fix jpg/jpeg Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com> 2022-06-15 03:32:29 -05:00			`}`

			`mimeType := s.detectMimeType(ctx, user, uploadRequest)`
			`if !imageExtensionsToMatchingMimeTypes[ext][mimeType] {`
Storage: Mime type detection (#52512) * Storage: implement mime type detection * lint 2022-07-25 02:30:20 -05:00			`return fail(fmt.Sprintf("extension '%s' does not match the detected MimeType: %s", ext, mimeType))`
Storage: validation and sanitization stubs (#50523) * add `IsPathValidationError` util to fs api * refactor storage.Upload method * remove unused struct * extract `RootUpload` constant * move file validation outside of the service * Make UploadErrorToStatusCode exported * validation/sanitization * refactor pathValidationError check * refactor, rename sanitize to transform * add a todo * refactor * transform -> sanitize * lint fix * #50608: fix jpg/jpeg Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com> 2022-06-15 03:32:29 -05:00			`}`

			`return success()`
			`}`

Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			`func (s standardStorageService) validateUploadRequest(ctx context.Context, user user.SignedInUser, req *UploadRequest, storagePath string) validationResult {`
Storage: validation and sanitization stubs (#50523) * add `IsPathValidationError` util to fs api * refactor storage.Upload method * remove unused struct * extract `RootUpload` constant * move file validation outside of the service * Make UploadErrorToStatusCode exported * validation/sanitization * refactor pathValidationError check * refactor, rename sanitize to transform * add a todo * refactor * transform -> sanitize * lint fix * #50608: fix jpg/jpeg Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com> 2022-06-15 03:32:29 -05:00			`// TODO: validateSize`
			`// TODO: validateProperties`

			`if err := filestorage.ValidatePath(storagePath); err != nil {`
Storage: Mime type detection (#52512) * Storage: implement mime type detection * lint 2022-07-25 02:30:20 -05:00			`return fail(fmt.Sprintf("path validation failed. error: %s. path: %s", err.Error(), storagePath))`
Storage: validation and sanitization stubs (#50523) * add `IsPathValidationError` util to fs api * refactor storage.Upload method * remove unused struct * extract `RootUpload` constant * move file validation outside of the service * Make UploadErrorToStatusCode exported * validation/sanitization * refactor pathValidationError check * refactor, rename sanitize to transform * add a todo * refactor * transform -> sanitize * lint fix * #50608: fix jpg/jpeg Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com> 2022-06-15 03:32:29 -05:00			`}`

			`switch req.EntityType {`
Storage: refactor readonly support (#52127) 2022-07-13 12:15:25 -05:00			`case EntityTypeJSON:`
			`fallthrough`
Storage: validation and sanitization stubs (#50523) * add `IsPathValidationError` util to fs api * refactor storage.Upload method * remove unused struct * extract `RootUpload` constant * move file validation outside of the service * Make UploadErrorToStatusCode exported * validation/sanitization * refactor pathValidationError check * refactor, rename sanitize to transform * add a todo * refactor * transform -> sanitize * lint fix * #50608: fix jpg/jpeg Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com> 2022-06-15 03:32:29 -05:00			`case EntityTypeFolder:`
			`fallthrough`
			`case EntityTypeDashboard:`
			`// TODO: add proper validation`
Storage: refactor readonly support (#52127) 2022-07-13 12:15:25 -05:00			`if !json.Valid(req.Contents) {`
			`return fail("invalid json")`
Storage: validation and sanitization stubs (#50523) * add `IsPathValidationError` util to fs api * refactor storage.Upload method * remove unused struct * extract `RootUpload` constant * move file validation outside of the service * Make UploadErrorToStatusCode exported * validation/sanitization * refactor pathValidationError check * refactor, rename sanitize to transform * add a todo * refactor * transform -> sanitize * lint fix * #50608: fix jpg/jpeg Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com> 2022-06-15 03:32:29 -05:00			`}`
			`return success()`
			`case EntityTypeImage:`
			`return s.validateImage(ctx, user, req)`
			`default:`
			`return fail("unknown entity")`
			`}`
			`}`