[main] Plugin fixes (#57399)

* Plugins: Remove support for V1 manifests * Plugins: Make proxy endpoints not leak sensitive HTTP headers * Security: Fix do not forward login cookie in outgoing requests (cherry picked from commit 4539c33fce) Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2022-10-21 13:54:55 +02:00
parent af17123b5f
commit 6f8fcae01b
20 changed files with 198 additions and 38 deletions
--- a/pkg/plugins/manager/loader/loader_test.go
+++ b/pkg/plugins/manager/loader/loader_test.go
@@ -298,7 +298,7 @@ func TestLoader_Load(t *testing.T) {
 			},
 		},
 		{
-			name:        "Load an unsigned plugin with modified signature (production)",
+			name:        "Load a plugin with v1 manifest should return signatureInvalid",
 			class:       plugins.External,
 			cfg:         &config.Cfg{},
 			pluginPaths: []string{"../testdata/lacking-files"},
@@ -306,12 +306,12 @@ func TestLoader_Load(t *testing.T) {
 			pluginErrors: map[string]*plugins.Error{
 				"test-datasource": {
 					PluginID:  "test-datasource",
-					ErrorCode: "signatureModified",
+					ErrorCode: "signatureInvalid",
 				},
 			},
 		},
 		{
-			name:  "Load an unsigned plugin with modified signature using PluginsAllowUnsigned config (production) still includes a signing error",
+			name:  "Load a plugin with v1 manifest using PluginsAllowUnsigned config (production) should return signatureInvali",
 			class: plugins.External,
 			cfg: &config.Cfg{
 				PluginsAllowUnsigned: []string{"test-datasource"},
@@ -321,7 +321,7 @@ func TestLoader_Load(t *testing.T) {
 			pluginErrors: map[string]*plugins.Error{
 				"test-datasource": {
 					PluginID:  "test-datasource",
-					ErrorCode: "signatureModified",
+					ErrorCode: "signatureInvalid",
 				},
 			},
 		},
--- a/pkg/plugins/manager/signature/manifest.go
+++ b/pkg/plugins/manager/signature/manifest.go
@@ -132,6 +132,12 @@ func Calculate(mlog log.Logger, plugin *plugins.Plugin) (plugins.Signature, erro
 		}, nil
 	}

+	if !manifest.isV2() {
+		return plugins.Signature{
+			Status: plugins.SignatureInvalid,
+		}, nil
+	}
+
 	// Make sure the versions all match
 	if manifest.Plugin != plugin.ID || manifest.Version != plugin.Info.Version {
 		return plugins.Signature{
@@ -167,21 +173,19 @@ func Calculate(mlog log.Logger, plugin *plugins.Plugin) (plugins.Signature, erro
 		manifestFiles[p] = struct{}{}
 	}

-	if manifest.isV2() {
-		// Track files missing from the manifest
-		var unsignedFiles []string
-		for _, f := range pluginFiles {
-			if _, exists := manifestFiles[f]; !exists {
-				unsignedFiles = append(unsignedFiles, f)
-			}
+	// Track files missing from the manifest
+	var unsignedFiles []string
+	for _, f := range pluginFiles {
+		if _, exists := manifestFiles[f]; !exists {
+			unsignedFiles = append(unsignedFiles, f)
 		}
+	}

-		if len(unsignedFiles) > 0 {
-			mlog.Warn("The following files were not included in the signature", "plugin", plugin.ID, "files", unsignedFiles)
-			return plugins.Signature{
-				Status: plugins.SignatureModified,
-			}, nil
-		}
+	if len(unsignedFiles) > 0 {
+		mlog.Warn("The following files were not included in the signature", "plugin", plugin.ID, "files", unsignedFiles)
+		return plugins.Signature{
+			Status: plugins.SignatureModified,
+		}, nil
 	}

 	mlog.Debug("Plugin signature valid", "id", plugin.ID)