IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Macaron: convert CSP middleware (#37672)

Browse Source
This commit is contained in:
Serge Zaitsev 2021-08-10 09:03:22 +02:00 committed by GitHub
parent 377b323faf
commit 0dfac9c3aa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 32 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/api/http_server.go
View File

@ -375,7 +375,7 @@ func (hs *HTTPServer) addMiddlewaresAndStaticRoutes() {
} }
m.Use(middleware.HandleNoCacheHeader) m.Use(middleware.HandleNoCacheHeader)
m.Use(middleware.AddCSPHeader(hs.Cfg, hs.log)) m.UseMiddleware(middleware.AddCSPHeader(hs.Cfg, hs.log))
for _, mw := range hs.middlewares { for _, mw := range hs.middlewares {
m.Use(mw) m.Use(mw)

19
pkg/middleware/csp.go
View File

@ -10,25 +10,22 @@ import (
"strings" "strings"
"github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/services/contexthandler"
"github.com/grafana/grafana/pkg/setting" "github.com/grafana/grafana/pkg/setting"
macaron "gopkg.in/macaron.v1"
) )
// AddCSPHeader adds the Content Security Policy header. // AddCSPHeader adds the Content Security Policy header.
func AddCSPHeader(cfg *setting.Cfg, logger log.Logger) macaron.Handler { func AddCSPHeader(cfg *setting.Cfg, logger log.Logger) func(http.Handler) http.Handler {
return func(w http.ResponseWriter, req *http.Request, c *macaron.Context) { return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
if !cfg.CSPEnabled { if !cfg.CSPEnabled {
next.ServeHTTP(rw, req)
return return
} }
logger.Debug("Adding CSP header to response", "cfg", fmt.Sprintf("%p", cfg)) logger.Debug("Adding CSP header to response", "cfg", fmt.Sprintf("%p", cfg))
ctx, ok := c.Data["ctx"].(*models.ReqContext) ctx := contexthandler.FromContext(req.Context())
if !ok {
panic("Failed to convert context into models.ReqContext")
}
if cfg.CSPTemplate == "" { if cfg.CSPTemplate == "" {
logger.Debug("CSP template not configured, so returning 500") logger.Debug("CSP template not configured, so returning 500")
ctx.JsonApiErr(500, "CSP template has to be configured", nil) ctx.JsonApiErr(500, "CSP template has to be configured", nil)
@ -47,8 +44,10 @@ func AddCSPHeader(cfg *setting.Cfg, logger log.Logger) macaron.Handler {
re := regexp.MustCompile(`^\w+:(//)?`) re := regexp.MustCompile(`^\w+:(//)?`)
rootPath := re.ReplaceAllString(cfg.AppURL, "") rootPath := re.ReplaceAllString(cfg.AppURL, "")
val = strings.ReplaceAll(val, "$ROOT_PATH", rootPath) val = strings.ReplaceAll(val, "$ROOT_PATH", rootPath)
w.Header().Set("Content-Security-Policy", val) rw.Header().Set("Content-Security-Policy", val)
ctx.RequestNonce = nonce ctx.RequestNonce = nonce
logger.Debug("Successfully generated CSP nonce", "nonce", nonce) logger.Debug("Successfully generated CSP nonce", "nonce", nonce)
next.ServeHTTP(rw, req)
})
} }
} }

2
pkg/middleware/middleware_test.go
View File

@ -632,7 +632,7 @@ func middlewareScenario(t *testing.T, desc string, fn scenarioFunc, cbs ...func(
sc.m = macaron.New() sc.m = macaron.New()
sc.m.Use(AddDefaultResponseHeaders(cfg)) sc.m.Use(AddDefaultResponseHeaders(cfg))
sc.m.Use(AddCSPHeader(cfg, logger)) sc.m.UseMiddleware(AddCSPHeader(cfg, logger))
sc.m.Use(macaron.Renderer(macaron.RenderOptions{ sc.m.Use(macaron.Renderer(macaron.RenderOptions{
Directory: viewsPath, Directory: viewsPath,
Delims: macaron.Delims{Left: "[[", Right: "]]"}, Delims: macaron.Delims{Left: "[[", Right: "]]"},