Renderer: Add sanitize API (#50936)

* svg fun * #50597: add proto * #50597: add sanitizer methods * #50597: add provider * #50597: use sanitizer * #50597: use sanitizer * update grafana to match new api * add comments * add capability check * add timing * update sanitize path * improve log message * strings.HasPrefix rather than filepath.IsAbs * filepath.Clean + filepath.ToSlash for windows * read 404 * remove `path.clean` from `getPathAndScope` * add resp body close * remove unneeded prop * Update pkg/services/rendering/rendering.go Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> * remove test files * filepath.ToSlash correct wrapping * filepath.ToSlash correct wrapping * filepath.ToSlash comment * compilation error * lint fix * fix error message * Update pkg/services/rendering/rendering.go Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> * add `image/svg+xml` mime type * refactored log * refactored log Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2022-07-07 15:32:18 +04:00
parent f279699beb
commit e96f67ae2e
21 changed files with 710 additions and 28 deletions
--- a/pkg/services/store/sanitize.go
+++ b/pkg/services/store/sanitize.go
@@ -6,20 +6,44 @@ import (

 	"github.com/grafana/grafana/pkg/infra/filestorage"
 	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/services/rendering"
+	"github.com/grafana/grafana/pkg/services/store/sanitizer"
 )

-func (s *standardStorageService) sanitizeUploadRequest(ctx context.Context, user *models.SignedInUser, req *UploadRequest, storagePath string) (*filestorage.UpsertFileCommand, error) {
+func (s *standardStorageService) sanitizeContents(ctx context.Context, user *models.SignedInUser, req *UploadRequest, storagePath string) ([]byte, error) {
 	if req.EntityType == EntityTypeImage {
 		ext := filepath.Ext(req.Path)
-		//nolint: staticcheck
 		if ext == ".svg" {
-			// TODO: sanitize svg
+			resp, err := sanitizer.SanitizeSVG(ctx, &rendering.SanitizeSVGRequest{
+				Filename: storagePath,
+				Content:  req.Contents,
+			})
+			if err != nil {
+				if s.cfg.allowUnsanitizedSvgUpload {
+					grafanaStorageLogger.Debug("allowing unsanitized svg upload", "filename", req.Path, "sanitizationError", err)
+					return req.Contents, nil
+				} else {
+					grafanaStorageLogger.Debug("disallowing unsanitized svg upload", "filename", req.Path, "sanitizationError", err)
+					return nil, err
+				}
+			}
+
+			return resp.Sanitized, nil
 		}
 	}

+	return req.Contents, nil
+}
+
+func (s *standardStorageService) sanitizeUploadRequest(ctx context.Context, user *models.SignedInUser, req *UploadRequest, storagePath string) (*filestorage.UpsertFileCommand, error) {
+	contents, err := s.sanitizeContents(ctx, user, req, storagePath)
+	if err != nil {
+		return nil, err
+	}
+
 	return &filestorage.UpsertFileCommand{
 		Path:               storagePath,
-		Contents:           req.Contents,
+		Contents:           contents,
 		MimeType:           req.MimeType,
 		CacheControl:       req.CacheControl,
 		ContentDisposition: req.ContentDisposition,