Sandbox: do not load grafana signed app plugins into the sandbox (#78334)

* Sandbox: do not load grafana signed app plugins into the sandbox * remove unused dependency
2025-02-25 18:55:37 -06:00 · 2023-11-20 12:00:31 +01:00 · 2023-11-20 12:00:31 +01:00 · cfc67a9e2d
commit cfc67a9e2d
parent 437ae8e8c5
2 changed files with 38 additions and 11 deletions
--- a/public/app/features/plugins/plugin_loader.ts
+++ b/public/app/features/plugins/plugin_loader.ts
@ -68,7 +68,7 @@ export async function importPluginModule({
  }

  // the sandboxing environment code cannot work in nodejs and requires a real browser
-  if (isFrontendSandboxSupported({ isAngular, pluginId })) {
+  if (await isFrontendSandboxSupported({ isAngular, pluginId })) {
    return importPluginModuleInSandbox({ pluginId });
  }

--- a/public/app/features/plugins/sandbox/utils.ts
+++ b/public/app/features/plugins/sandbox/utils.ts
@ -1,9 +1,12 @@
 import { isNearMembraneProxy } from '@locker/near-membrane-shared';
 import React from 'react';

+import { PluginSignatureType, PluginType } from '@grafana/data';
 import { LogContext } from '@grafana/faro-web-sdk';
 import { logWarning as logWarningRuntime, logError as logErrorRuntime, config } from '@grafana/runtime';

+import { getPluginSettings } from '../pluginSettings';
+
 import { SandboxedPluginObject } from './types';

 const monitorOnly = Boolean(config.featureToggles.frontendSandboxMonitorOnly);
@ -38,23 +41,47 @@ export function logError(error: Error, context?: LogContext) {
  logErrorRuntime(error, context);
 }

-export function isFrontendSandboxSupported({
+export async function isFrontendSandboxSupported({
  isAngular,
  pluginId,
 }: {
  isAngular?: boolean;
  pluginId: string;
-}): boolean {
+}): Promise<boolean> {
+  // Only if the feature is not enabled no support for sandbox
+  if (!Boolean(config.featureToggles.pluginsFrontendSandbox)) {
+    return false;
+  }
+
+  // no support for angular plugins
+  if (isAngular) {
+    return false;
+  }
+
  // To fast test and debug the sandbox in the browser.
-  const sandboxQueryParam = location.search.includes('nosandbox') && config.buildInfo.env === 'development';
+  const sandboxDisableQueryParam = location.search.includes('nosandbox') && config.buildInfo.env === 'development';
+  if (sandboxDisableQueryParam) {
+    return false;
+  }
+
+  // if disabled by configuration
  const isPluginExcepted = config.disableFrontendSandboxForPlugins.includes(pluginId);
-  return (
-    !isAngular &&
-    Boolean(config.featureToggles.pluginsFrontendSandbox) &&
-    process.env.NODE_ENV !== 'test' &&
-    !isPluginExcepted &&
-    !sandboxQueryParam
-  );
+  if (isPluginExcepted) {
+    return false;
+  }
+
+  // no sandbox in test mode. it often breaks e2e tests
+  if (process.env.NODE_ENV === 'test') {
+    return false;
+  }
+
+  // we don't run grafana-own apps in the sandbox
+  const pluginMeta = await getPluginSettings(pluginId);
+  if (pluginMeta.type === PluginType.app && pluginMeta.signatureType === PluginSignatureType.grafana) {
+    return false;
+  }
+
+  return true;
 }

 function isRegex(value: unknown): value is RegExp {