From 3cd43bd7ea1240b2d94313d7317537c4ba2e97f1 Mon Sep 17 00:00:00 2001 From: Artur Wierzbicki Date: Mon, 25 Jul 2022 21:11:17 +0400 Subject: [PATCH] Storage: externalize `allow_unsanitized_svg_upload` (#52703) --- conf/defaults.ini | 7 +++++++ pkg/services/store/service.go | 10 +++++----- pkg/services/store/service_test.go | 12 +++++++++--- pkg/setting/setting.go | 3 +++ pkg/setting/setting_storage.go | 16 ++++++++++++++++ 5 files changed, 40 insertions(+), 8 deletions(-) create mode 100644 pkg/setting/setting_storage.go diff --git a/conf/defaults.ini b/conf/defaults.ini index e06be50e952..06e52ab9b3f 100644 --- a/conf/defaults.ini +++ b/conf/defaults.ini @@ -1266,3 +1266,10 @@ max_crawl_duration = # Minimum interval between two subsequent scheduler runs. Default is 12h. # This setting should be expressed as a duration. Examples: 10s (seconds), 1m (minutes). scheduler_interval = + + +#################################### Storage ################################################ + +[storage] +# Allow uploading SVG files without sanitization. +allow_unsanitized_svg_upload = false diff --git a/pkg/services/store/service.go b/pkg/services/store/service.go index b4da1f2decc..f6a980d6854 100644 --- a/pkg/services/store/service.go +++ b/pkg/services/store/service.go @@ -194,9 +194,7 @@ func ProvideService(sql *sqlstore.SQLStore, features featuremgmt.FeatureToggles, } }) - return newStandardStorageService(sql, globalRoots, initializeOrgStorages, authService, storageServiceConfig{ - allowUnsanitizedSvgUpload: false, - }) + return newStandardStorageService(sql, globalRoots, initializeOrgStorages, authService, cfg) } func createSystemBrandingPathFilter() filestorage.PathFilter { @@ -207,7 +205,7 @@ func createSystemBrandingPathFilter() filestorage.PathFilter { nil) } -func newStandardStorageService(sql *sqlstore.SQLStore, globalRoots []storageRuntime, initializeOrgStorages func(orgId int64) []storageRuntime, authService storageAuthService, cfg storageServiceConfig) *standardStorageService { +func newStandardStorageService(sql *sqlstore.SQLStore, globalRoots []storageRuntime, initializeOrgStorages func(orgId int64) []storageRuntime, authService storageAuthService, cfg *setting.Cfg) *standardStorageService { rootsByOrgId := make(map[int64][]storageRuntime) rootsByOrgId[ac.GlobalOrgID] = globalRoots @@ -220,7 +218,9 @@ func newStandardStorageService(sql *sqlstore.SQLStore, globalRoots []storageRunt sql: sql, tree: res, authService: authService, - cfg: cfg, + cfg: storageServiceConfig{ + allowUnsanitizedSvgUpload: cfg.Storage.AllowUnsanitizedSvgUpload, + }, } } diff --git a/pkg/services/store/service_test.go b/pkg/services/store/service_test.go index 0c99165973f..bee9b4008c3 100644 --- a/pkg/services/store/service_test.go +++ b/pkg/services/store/service_test.go @@ -11,12 +11,18 @@ import ( "github.com/grafana/grafana/pkg/infra/filestorage" "github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/services/sqlstore" + "github.com/grafana/grafana/pkg/setting" "github.com/grafana/grafana/pkg/tsdb/testdatasource" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" ) var ( + cfg = &setting.Cfg{ + Storage: setting.StorageSettings{ + AllowUnsanitizedSvgUpload: true, + }, + } htmlBytes, _ = ioutil.ReadFile("testdata/page.html") jpgBytes, _ = ioutil.ReadFile("testdata/image.jpg") svgBytes, _ = ioutil.ReadFile("testdata/image.svg") @@ -57,7 +63,7 @@ func TestListFiles(t *testing.T) { store := newStandardStorageService(sqlstore.InitTestDB(t), roots, func(orgId int64) []storageRuntime { return make([]storageRuntime, 0) - }, allowAllAuthService, storageServiceConfig{}) + }, allowAllAuthService, cfg) frame, err := store.List(context.Background(), dummyUser, "public/testdata") require.NoError(t, err) @@ -77,7 +83,7 @@ func TestListFilesWithoutPermissions(t *testing.T) { store := newStandardStorageService(sqlstore.InitTestDB(t), roots, func(orgId int64) []storageRuntime { return make([]storageRuntime, 0) - }, denyAllAuthService, storageServiceConfig{}) + }, denyAllAuthService, cfg) frame, err := store.List(context.Background(), dummyUser, "public/testdata") require.NoError(t, err) rowLen, err := frame.RowLen() @@ -102,7 +108,7 @@ func setupUploadStore(t *testing.T, authService storageAuthService) (StorageServ } store := newStandardStorageService(sqlstore.InitTestDB(t), []storageRuntime{sqlStorage}, func(orgId int64) []storageRuntime { return make([]storageRuntime, 0) - }, authService, storageServiceConfig{allowUnsanitizedSvgUpload: true}) + }, authService, cfg) return store, mockStorage, storageName } diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go index a67ca376306..b463b14db26 100644 --- a/pkg/setting/setting.go +++ b/pkg/setting/setting.go @@ -443,6 +443,8 @@ type Cfg struct { DashboardPreviews DashboardPreviewsSettings + Storage StorageSettings + // Access Control RBACEnabled bool RBACPermissionCache bool @@ -1014,6 +1016,7 @@ func (cfg *Cfg) Load(args CommandLineArgs) error { cfg.readDataSourcesSettings() cfg.DashboardPreviews = readDashboardPreviewsSettings(iniFile) + cfg.Storage = readStorageSettings(iniFile) if VerifyEmailEnabled && !cfg.Smtp.Enabled { cfg.Logger.Warn("require_email_validation is enabled but smtp is disabled") diff --git a/pkg/setting/setting_storage.go b/pkg/setting/setting_storage.go new file mode 100644 index 00000000000..04c31d62c6c --- /dev/null +++ b/pkg/setting/setting_storage.go @@ -0,0 +1,16 @@ +package setting + +import ( + "gopkg.in/ini.v1" +) + +type StorageSettings struct { + AllowUnsanitizedSvgUpload bool +} + +func readStorageSettings(iniFile *ini.File) StorageSettings { + s := StorageSettings{} + storageSection := iniFile.Section("storage") + s.AllowUnsanitizedSvgUpload = storageSection.Key("allow_unsanitized_svg_upload").MustBool(false) + return s +}