Storage: externalize allow_unsanitized_svg_upload (#52703)

2025-02-14 09:33:34 -06:00 · 2022-07-25 21:11:17 +04:00 · 2022-07-25 21:11:17 +04:00 · 3cd43bd7ea
commit 3cd43bd7ea
parent 9c3f9887fc
5 changed files with 40 additions and 8 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@ -1266,3 +1266,10 @@ max_crawl_duration =
 # Minimum interval between two subsequent scheduler runs. Default is 12h.
 # This setting should be expressed as a duration. Examples: 10s (seconds), 1m (minutes).
 scheduler_interval =
+
+
+#################################### Storage ################################################
+
+[storage]
+# Allow uploading SVG files without sanitization.
+allow_unsanitized_svg_upload = false
--- a/pkg/services/store/service.go
+++ b/pkg/services/store/service.go
@ -194,9 +194,7 @@ func ProvideService(sql *sqlstore.SQLStore, features featuremgmt.FeatureToggles,
 		}
 	})

-	return newStandardStorageService(sql, globalRoots, initializeOrgStorages, authService, storageServiceConfig{
-		allowUnsanitizedSvgUpload: false,
-	})
+	return newStandardStorageService(sql, globalRoots, initializeOrgStorages, authService, cfg)
 }

 func createSystemBrandingPathFilter() filestorage.PathFilter {
@ -207,7 +205,7 @@ func createSystemBrandingPathFilter() filestorage.PathFilter {
 		nil)
 }

-func newStandardStorageService(sql *sqlstore.SQLStore, globalRoots []storageRuntime, initializeOrgStorages func(orgId int64) []storageRuntime, authService storageAuthService, cfg storageServiceConfig) *standardStorageService {
+func newStandardStorageService(sql *sqlstore.SQLStore, globalRoots []storageRuntime, initializeOrgStorages func(orgId int64) []storageRuntime, authService storageAuthService, cfg *setting.Cfg) *standardStorageService {
 	rootsByOrgId := make(map[int64][]storageRuntime)
 	rootsByOrgId[ac.GlobalOrgID] = globalRoots

@ -220,7 +218,9 @@ func newStandardStorageService(sql *sqlstore.SQLStore, globalRoots []storageRunt
 		sql:         sql,
 		tree:        res,
 		authService: authService,
-		cfg:         cfg,
+		cfg: storageServiceConfig{
+			allowUnsanitizedSvgUpload: cfg.Storage.AllowUnsanitizedSvgUpload,
+		},
 	}
 }

--- a/pkg/services/store/service_test.go
+++ b/pkg/services/store/service_test.go
@ -11,12 +11,18 @@ import (
 	"github.com/grafana/grafana/pkg/infra/filestorage"
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/services/sqlstore"
+	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/tsdb/testdatasource"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 )

 var (
+	cfg = &setting.Cfg{
+		Storage: setting.StorageSettings{
+			AllowUnsanitizedSvgUpload: true,
+		},
+	}
 	htmlBytes, _        = ioutil.ReadFile("testdata/page.html")
 	jpgBytes, _         = ioutil.ReadFile("testdata/image.jpg")
 	svgBytes, _         = ioutil.ReadFile("testdata/image.svg")
@ -57,7 +63,7 @@ func TestListFiles(t *testing.T) {

 	store := newStandardStorageService(sqlstore.InitTestDB(t), roots, func(orgId int64) []storageRuntime {
 		return make([]storageRuntime, 0)
-	}, allowAllAuthService, storageServiceConfig{})
+	}, allowAllAuthService, cfg)
 	frame, err := store.List(context.Background(), dummyUser, "public/testdata")
 	require.NoError(t, err)

@ -77,7 +83,7 @@ func TestListFilesWithoutPermissions(t *testing.T) {

 	store := newStandardStorageService(sqlstore.InitTestDB(t), roots, func(orgId int64) []storageRuntime {
 		return make([]storageRuntime, 0)
-	}, denyAllAuthService, storageServiceConfig{})
+	}, denyAllAuthService, cfg)
 	frame, err := store.List(context.Background(), dummyUser, "public/testdata")
 	require.NoError(t, err)
 	rowLen, err := frame.RowLen()
@ -102,7 +108,7 @@ func setupUploadStore(t *testing.T, authService storageAuthService) (StorageServ
 	}
 	store := newStandardStorageService(sqlstore.InitTestDB(t), []storageRuntime{sqlStorage}, func(orgId int64) []storageRuntime {
 		return make([]storageRuntime, 0)
-	}, authService, storageServiceConfig{allowUnsanitizedSvgUpload: true})
+	}, authService, cfg)

 	return store, mockStorage, storageName
 }
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@ -443,6 +443,8 @@ type Cfg struct {

 	DashboardPreviews DashboardPreviewsSettings

+	Storage StorageSettings
+
 	// Access Control
 	RBACEnabled         bool
 	RBACPermissionCache bool
@ -1014,6 +1016,7 @@ func (cfg *Cfg) Load(args CommandLineArgs) error {
 	cfg.readDataSourcesSettings()

 	cfg.DashboardPreviews = readDashboardPreviewsSettings(iniFile)
+	cfg.Storage = readStorageSettings(iniFile)

 	if VerifyEmailEnabled && !cfg.Smtp.Enabled {
 		cfg.Logger.Warn("require_email_validation is enabled but smtp is disabled")
--- a/pkg/setting/setting_storage.go
+++ b/pkg/setting/setting_storage.go
@ -0,0 +1,16 @@
+package setting
+
+import (
+	"gopkg.in/ini.v1"
+)
+
+type StorageSettings struct {
+	AllowUnsanitizedSvgUpload bool
+}
+
+func readStorageSettings(iniFile *ini.File) StorageSettings {
+	s := StorageSettings{}
+	storageSection := iniFile.Section("storage")
+	s.AllowUnsanitizedSvgUpload = storageSection.Key("allow_unsanitized_svg_upload").MustBool(false)
+	return s
+}