mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Security: fixes CVE-2022-29170 (#49240)
* Request interceptor: block redirects * handle location missing * Update pkg/infra/httpclient/httpclientprovider/host_redirect_validation_middleware.go Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Update pkg/infra/httpclient/httpclientprovider/host_redirect_validation_middleware.go Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * linter * fixes tests Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
This commit is contained in:
Leonard Gram
GitHub
@@ -0,0 +1,37 @@
|
|||||||
|
package httpclientprovider
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"net/http"
|
||||||
|
|
||||||
|
"github.com/grafana/grafana/pkg/models"
|
||||||
|
|
||||||
|
sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
|
||||||
|
)
|
||||||
|
|
||||||
|
const HostRedirectValidationMiddlewareName = "host-redirect-validation"
|
||||||
|
|
||||||
|
func RedirectLimitMiddleware(reqValidator models.PluginRequestValidator) sdkhttpclient.Middleware {
|
||||||
|
return sdkhttpclient.NamedMiddlewareFunc(HostRedirectValidationMiddlewareName, func(opts sdkhttpclient.Options, next http.RoundTripper) http.RoundTripper {
|
||||||
|
return sdkhttpclient.RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
|
||||||
|
res, err := next.RoundTrip(req)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if res.StatusCode >= 300 && res.StatusCode < 400 {
|
||||||
|
location, locationErr := res.Location()
|
||||||
|
if errors.Is(locationErr, http.ErrNoLocation) {
|
||||||
|
return res, nil
|
||||||
|
}
|
||||||
|
if locationErr != nil {
|
||||||
|
return nil, locationErr
|
||||||
|
}
|
||||||
|
|
||||||
|
if validationErr := reqValidator.Validate(location.String(), nil); validationErr != nil {
|
||||||
|
return nil, validationErr
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return res, nil
|
||||||
|
})
|
||||||
|
})
|
||||||
|
}
|
||||||
@@ -5,6 +5,8 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/grafana/grafana/pkg/models"
|
||||||
|
|
||||||
sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
|
sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
|
||||||
"github.com/grafana/grafana/pkg/infra/log"
|
"github.com/grafana/grafana/pkg/infra/log"
|
||||||
"github.com/grafana/grafana/pkg/infra/metrics/metricutil"
|
"github.com/grafana/grafana/pkg/infra/metrics/metricutil"
|
||||||
@@ -16,7 +18,7 @@ import (
|
|||||||
var newProviderFunc = sdkhttpclient.NewProvider
|
var newProviderFunc = sdkhttpclient.NewProvider
|
||||||
|
|
||||||
// New creates a new HTTP client provider with pre-configured middlewares.
|
// New creates a new HTTP client provider with pre-configured middlewares.
|
||||||
func New(cfg *setting.Cfg, tracer tracing.Tracer) *sdkhttpclient.Provider {
|
func New(cfg *setting.Cfg, validator models.PluginRequestValidator, tracer tracing.Tracer) *sdkhttpclient.Provider {
|
||||||
logger := log.New("httpclient")
|
logger := log.New("httpclient")
|
||||||
userAgent := fmt.Sprintf("Grafana/%s", cfg.BuildVersion)
|
userAgent := fmt.Sprintf("Grafana/%s", cfg.BuildVersion)
|
||||||
|
|
||||||
@@ -27,6 +29,7 @@ func New(cfg *setting.Cfg, tracer tracing.Tracer) *sdkhttpclient.Provider {
|
|||||||
sdkhttpclient.BasicAuthenticationMiddleware(),
|
sdkhttpclient.BasicAuthenticationMiddleware(),
|
||||||
sdkhttpclient.CustomHeadersMiddleware(),
|
sdkhttpclient.CustomHeadersMiddleware(),
|
||||||
ResponseLimitMiddleware(cfg.ResponseLimit),
|
ResponseLimitMiddleware(cfg.ResponseLimit),
|
||||||
|
RedirectLimitMiddleware(validator),
|
||||||
}
|
}
|
||||||
|
|
||||||
if cfg.SigV4AuthEnabled {
|
if cfg.SigV4AuthEnabled {
|
||||||
|
|||||||
@@ -3,6 +3,8 @@ package httpclientprovider
|
|||||||
import (
|
import (
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
"github.com/grafana/grafana/pkg/services/validations"
|
||||||
|
|
||||||
sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
|
sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
|
||||||
"github.com/grafana/grafana/pkg/infra/tracing"
|
"github.com/grafana/grafana/pkg/infra/tracing"
|
||||||
"github.com/grafana/grafana/pkg/setting"
|
"github.com/grafana/grafana/pkg/setting"
|
||||||
@@ -22,10 +24,10 @@ func TestHTTPClientProvider(t *testing.T) {
|
|||||||
})
|
})
|
||||||
tracer, err := tracing.InitializeTracerForTest()
|
tracer, err := tracing.InitializeTracerForTest()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
_ = New(&setting.Cfg{SigV4AuthEnabled: false}, tracer)
|
_ = New(&setting.Cfg{SigV4AuthEnabled: false}, &validations.OSSPluginRequestValidator{}, tracer)
|
||||||
require.Len(t, providerOpts, 1)
|
require.Len(t, providerOpts, 1)
|
||||||
o := providerOpts[0]
|
o := providerOpts[0]
|
||||||
require.Len(t, o.Middlewares, 6)
|
require.Len(t, o.Middlewares, 7)
|
||||||
require.Equal(t, TracingMiddlewareName, o.Middlewares[0].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
require.Equal(t, TracingMiddlewareName, o.Middlewares[0].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
||||||
require.Equal(t, DataSourceMetricsMiddlewareName, o.Middlewares[1].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
require.Equal(t, DataSourceMetricsMiddlewareName, o.Middlewares[1].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
||||||
require.Equal(t, SetUserAgentMiddlewareName, o.Middlewares[2].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
require.Equal(t, SetUserAgentMiddlewareName, o.Middlewares[2].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
||||||
@@ -46,16 +48,16 @@ func TestHTTPClientProvider(t *testing.T) {
|
|||||||
})
|
})
|
||||||
tracer, err := tracing.InitializeTracerForTest()
|
tracer, err := tracing.InitializeTracerForTest()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
_ = New(&setting.Cfg{SigV4AuthEnabled: true}, tracer)
|
_ = New(&setting.Cfg{SigV4AuthEnabled: true}, &validations.OSSPluginRequestValidator{}, tracer)
|
||||||
require.Len(t, providerOpts, 1)
|
require.Len(t, providerOpts, 1)
|
||||||
o := providerOpts[0]
|
o := providerOpts[0]
|
||||||
require.Len(t, o.Middlewares, 7)
|
require.Len(t, o.Middlewares, 8)
|
||||||
require.Equal(t, TracingMiddlewareName, o.Middlewares[0].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
require.Equal(t, TracingMiddlewareName, o.Middlewares[0].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
||||||
require.Equal(t, DataSourceMetricsMiddlewareName, o.Middlewares[1].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
require.Equal(t, DataSourceMetricsMiddlewareName, o.Middlewares[1].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
||||||
require.Equal(t, SetUserAgentMiddlewareName, o.Middlewares[2].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
require.Equal(t, SetUserAgentMiddlewareName, o.Middlewares[2].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
||||||
require.Equal(t, sdkhttpclient.BasicAuthenticationMiddlewareName, o.Middlewares[3].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
require.Equal(t, sdkhttpclient.BasicAuthenticationMiddlewareName, o.Middlewares[3].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
||||||
require.Equal(t, sdkhttpclient.CustomHeadersMiddlewareName, o.Middlewares[4].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
require.Equal(t, sdkhttpclient.CustomHeadersMiddlewareName, o.Middlewares[4].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
||||||
require.Equal(t, ResponseLimitMiddlewareName, o.Middlewares[5].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
require.Equal(t, ResponseLimitMiddlewareName, o.Middlewares[5].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
||||||
require.Equal(t, SigV4MiddlewareName, o.Middlewares[6].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
require.Equal(t, SigV4MiddlewareName, o.Middlewares[7].(sdkhttpclient.MiddlewareName).MiddlewareName())
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user