From 69566a23fc0302741f43a8078860ee822bda4b85 Mon Sep 17 00:00:00 2001
From: Mitsuhiro Tanda <mitsuhiro.tanda@gmail.com>
Date: Mon, 6 Feb 2017 00:08:35 +0900
Subject: [PATCH] improve security of Prometheus datasource

---
 pkg/api/dataproxy.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pkg/api/dataproxy.go b/pkg/api/dataproxy.go
index dfdc867d4a4..bc286743533 100644
--- a/pkg/api/dataproxy.go
+++ b/pkg/api/dataproxy.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"net/url"
+	"strings"
 	"time"
 
 	"github.com/grafana/grafana/pkg/api/cloudwatch"
@@ -107,6 +108,13 @@ func ProxyDataSourceRequest(c *middleware.Context) {
 
 	proxyPath := c.Params("*")
 
+	if ds.Type == m.DS_PROMETHEUS {
+		if !(c.Req.Request.Method == "GET" && strings.Index(proxyPath, "api/") == 0) {
+			c.JsonApiErr(403, "GET is only allowed on proxied Prometheus datasource", nil)
+			return
+		}
+	}
+
 	if ds.Type == m.DS_ES {
 		if c.Req.Request.Method == "DELETE" {
 			c.JsonApiErr(403, "Deletes not allowed on proxied Elasticsearch datasource", nil)