IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

improve security of Prometheus datasource

Browse Source
This commit is contained in:
Mitsuhiro Tanda 2017-02-06 00:08:35 +09:00
parent d9b5628126
commit 69566a23fc
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/api/dataproxy.go
View File

@ -6,6 +6,7 @@ import (
"net/http"
"net/http/httputil"
"net/url"
"strings"
"time"
"github.com/grafana/grafana/pkg/api/cloudwatch"
@ -107,6 +108,13 @@ func ProxyDataSourceRequest(c *middleware.Context) {
proxyPath := c.Params("*")
if ds.Type == m.DS_PROMETHEUS {
if !(c.Req.Request.Method == "GET" && strings.Index(proxyPath, "api/") == 0) {
c.JsonApiErr(403, "GET is only allowed on proxied Prometheus datasource", nil)
return
}
}
if ds.Type == m.DS_ES {
if c.Req.Request.Method == "DELETE" {
c.JsonApiErr(403, "Deletes not allowed on proxied Elasticsearch datasource", nil)