Data proxy: Fix encoded characters in URL path should be proxied encoded (#30597)

Fix encoded characters in URL path should be proxied as encoded in the data proxy. Fixes #26870 Fixes #31438 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2025-02-25 18:55:37 -06:00 · 2021-03-17 12:17:41 +01:00 · 2021-03-17 12:17:41 +01:00 · c0edf88f9f
commit c0edf88f9f
parent 68b05b8aaa
6 changed files with 73 additions and 46 deletions
--- a/devenv/docker/blocks/slow_proxy/Dockerfile
+++ b/devenv/docker/blocks/slow_proxy/Dockerfile
@ -2,6 +2,6 @@
 FROM golang:latest
 ADD main.go /
 WORKDIR /
-RUN go build -o main . 
+RUN GO111MODULE=off go build -o main .
 EXPOSE 3011
 ENTRYPOINT ["/main"]
--- a/devenv/docker/blocks/slow_proxy_mac/Dockerfile
+++ b/devenv/docker/blocks/slow_proxy_mac/Dockerfile
@ -2,6 +2,6 @@
 FROM golang:latest
 ADD main.go /
 WORKDIR /
-RUN go build -o main . 
+RUN GO111MODULE=off go build -o main .
 EXPOSE 3011
 ENTRYPOINT ["/main"]
--- a/pkg/api/dataproxy.go
+++ b/pkg/api/dataproxy.go
@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
 	"regexp"
 	"github.com/grafana/grafana/pkg/api/datasource"
 	"github.com/grafana/grafana/pkg/api/pluginproxy"
@ -40,9 +41,7 @@ func (hs *HTTPServer) ProxyDataSourceRequest(c *models.ReqContext) {
 		return
 	}
-	// macaron does not include trailing slashes when resolving a wildcard path
+	proxyPath := getProxyPath(c)
 	proxyPath := ensureProxyPathTrailingSlash(c.Req.URL.Path, c.Params("*"))
 	proxy, err := pluginproxy.NewDataSourceProxy(ds, plugin, c, proxyPath, hs.Cfg)
 	if err != nil {
 		if errors.Is(err, datasource.URLValidationError{}) {
@ -55,14 +54,12 @@ func (hs *HTTPServer) ProxyDataSourceRequest(c *models.ReqContext) {
 	proxy.HandleRequest()
 }
-// ensureProxyPathTrailingSlash Check for a trailing slash in original path and makes
+var proxyPathRegexp = regexp.MustCompile(`^\/api\/datasources\/proxy\/[\d]+\/?`)
 // sure that a trailing slash is added to proxy path, if not already exists.
 func ensureProxyPathTrailingSlash(originalPath, proxyPath string) string {
 	if len(proxyPath) > 1 {
 		if originalPath[len(originalPath)-1] == '/' && proxyPath[len(proxyPath)-1] != '/' {
 			return proxyPath + "/"
 		}
 	}
-	return proxyPath
+func extractProxyPath(originalRawPath string) string {
 	return proxyPathRegexp.ReplaceAllString(originalRawPath, "")
 }
 func getProxyPath(c *models.ReqContext) string {
 	return extractProxyPath(c.Req.URL.EscapedPath())
 }
--- a/pkg/api/dataproxy_test.go
+++ b/pkg/api/dataproxy_test.go
@ -7,28 +7,28 @@ import (
 )
 func TestDataProxy(t *testing.T) {
-	testCases := []struct {
+	t.Run("extractProxyPath", func(t *testing.T) {
-		desc      string
+		testCases := []struct {
-		origPath  string
+			originalRawPath string
-		proxyPath string
+			exp             string
-		exp       string
+		}{
-	}{
+			{
-		{
+				"/api/datasources/proxy/1",
-			"Should append trailing slash to proxy path if original path has a trailing slash",
+				"",
-			"/api/datasources/proxy/6/api/v1/query_range/",
+			},
-			"api/v1/query_range/",
+			{
-			"api/v1/query_range/",
+				"/api/datasources/proxy/1/some/thing",
-		},
+				"some/thing",
-		{
+			},
-			"Should not append trailing slash to proxy path if original path doesn't have a trailing slash",
+			{
-			"/api/datasources/proxy/6/api/v1/query_range",
+				"/api/datasources/proxy/54/api/services/afsd%2Fafsd/operations",
-			"api/v1/query_range",
+				"api/services/afsd%2Fafsd/operations",
-			"api/v1/query_range",
+			},
-		},
+		}
-	}
+		for _, tc := range testCases {
-	for _, tc := range testCases {
+			t.Run("Given raw path, should extract expected proxy path", func(t *testing.T) {
-		t.Run(tc.desc, func(t *testing.T) {
+				assert.Equal(t, tc.exp, extractProxyPath(tc.originalRawPath))
-			assert.Equal(t, tc.exp, ensureProxyPathTrailingSlash(tc.origPath, tc.proxyPath))
+			})
-		})
+		}
-	}
+	})
 }
--- a/pkg/api/pluginproxy/ds_proxy.go
+++ b/pkg/api/pluginproxy/ds_proxy.go
@ -179,20 +179,28 @@ func (proxy *DataSourceProxy) director(req *http.Request) {
 	switch proxy.ds.Type {
 	case models.DS_INFLUXDB_08:
-		req.URL.Path = util.JoinURLFragments(proxy.targetUrl.Path, "db/"+proxy.ds.Database+"/"+proxy.proxyPath)
+		req.URL.RawPath = util.JoinURLFragments(proxy.targetUrl.Path, "db/"+proxy.ds.Database+"/"+proxy.proxyPath)
 		reqQueryVals.Add("u", proxy.ds.User)
 		reqQueryVals.Add("p", proxy.ds.DecryptedPassword())
 		req.URL.RawQuery = reqQueryVals.Encode()
 	case models.DS_INFLUXDB:
-		req.URL.Path = util.JoinURLFragments(proxy.targetUrl.Path, proxy.proxyPath)
+		req.URL.RawPath = util.JoinURLFragments(proxy.targetUrl.Path, proxy.proxyPath)
 		req.URL.RawQuery = reqQueryVals.Encode()
 		if !proxy.ds.BasicAuth {
 			req.Header.Set("Authorization", util.GetBasicAuthHeader(proxy.ds.User, proxy.ds.DecryptedPassword()))
 		}
 	default:
-		req.URL.Path = util.JoinURLFragments(proxy.targetUrl.Path, proxy.proxyPath)
+		req.URL.RawPath = util.JoinURLFragments(proxy.targetUrl.Path, proxy.proxyPath)
 	}
 	unescapedPath, err := url.PathUnescape(req.URL.RawPath)
 	if err != nil {
 		logger.Error("Failed to unescape raw path", "rawPath", req.URL.RawPath, "error", err)
 		return
 	}
 	req.URL.Path = unescapedPath
 	if proxy.ds.BasicAuth {
 		req.Header.Set("Authorization", util.GetBasicAuthHeader(proxy.ds.BasicAuthUser,
 			proxy.ds.DecryptedBasicAuthPassword()))
--- a/pkg/api/pluginproxy/ds_proxy_test.go
+++ b/pkg/api/pluginproxy/ds_proxy_test.go
@ -527,7 +527,7 @@ func TestDataSourceProxy_requestHandling(t *testing.T) {
 	type setUpCfg struct {
 		headers map[string]string
-		writeCb func(w http.ResponseWriter)
+		writeCb func(w http.ResponseWriter, r *http.Request)
 	}
 	setUp := func(t *testing.T, cfgs ...setUpCfg) (*models.ReqContext, *models.DataSource) {
@ -539,7 +539,7 @@ func TestDataSourceProxy_requestHandling(t *testing.T) {
 			for _, cfg := range cfgs {
 				if cfg.writeCb != nil {
 					t.Log("Writing response via callback")
-					cfg.writeCb(w)
+					cfg.writeCb(w, r)
 					written = true
 				}
 			}
@ -607,7 +607,7 @@ func TestDataSourceProxy_requestHandling(t *testing.T) {
 	t.Run("Data source returns status code 401", func(t *testing.T) {
 		ctx, ds := setUp(t, setUpCfg{
-			writeCb: func(w http.ResponseWriter) {
+			writeCb: func(w http.ResponseWriter, r *http.Request) {
 				w.WriteHeader(401)
 				w.Header().Set("www-authenticate", `Basic realm="Access to the server"`)
 				_, err := w.Write([]byte("Not authenticated"))
@ -624,6 +624,28 @@ func TestDataSourceProxy_requestHandling(t *testing.T) {
 		assert.Equal(t, 400, proxy.ctx.Resp.Status(), "Status code 401 should be converted to 400")
 		assert.Empty(t, proxy.ctx.Resp.Header().Get("www-authenticate"))
 	})
 	t.Run("Data source should handle proxy path url encoding correctly", func(t *testing.T) {
 		var req *http.Request
 		ctx, ds := setUp(t, setUpCfg{
 			writeCb: func(w http.ResponseWriter, r *http.Request) {
 				req = r
 				w.WriteHeader(200)
 				_, err := w.Write([]byte("OK"))
 				require.NoError(t, err)
 			},
 		})
 		ctx.Req.Request = httptest.NewRequest("GET", "/api/datasources/proxy/1/path/%2Ftest%2Ftest%2F?query=%2Ftest%2Ftest%2F", nil)
 		proxy, err := NewDataSourceProxy(ds, plugin, ctx, "/path/%2Ftest%2Ftest%2F", &setting.Cfg{})
 		require.NoError(t, err)
 		proxy.HandleRequest()
 		require.NoError(t, writeErr)
 		require.NotNil(t, req)
 		require.Equal(t, "/path/%2Ftest%2Ftest%2F?query=%2Ftest%2Ftest%2F", req.RequestURI)
 	})
 }
 func TestNewDataSourceProxy_InvalidURL(t *testing.T) {