mirror of
https://github.com/grafana/grafana.git
synced 2025-01-20 21:43:32 -06:00
605d056136
* * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search * Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests Co-authored-by: Dan Cech <dcech@grafana.com> * remove duplicate WHERE statement * Fix for CVE-2022-21702 (cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e) * Lint and test fixes (cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981) * check content type properly (cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98) * basic csrf origin check (cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1) * compare origin to host (cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42) * simplify url parsing (cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d) * check csrf for GET requests, only compare origin (cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709) * parse content type properly (cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0) * mentioned get in the comment (cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345) * add content-type: application/json to test HTTP requests * fix pluginproxy test * Fix linter when comparing errors Co-authored-by: Kevin Minehart <kmineh0151@gmail.com> Co-authored-by: Dan Cech <dcech@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com>
51 lines
1.3 KiB
Go
51 lines
1.3 KiB
Go
package proxyutil
|
|
|
|
import (
|
|
"net"
|
|
"net/http"
|
|
)
|
|
|
|
// PrepareProxyRequest prepares a request for being proxied.
|
|
// Removes X-Forwarded-Host, X-Forwarded-Port, X-Forwarded-Proto headers.
|
|
// Set X-Forwarded-For headers.
|
|
func PrepareProxyRequest(req *http.Request) {
|
|
req.Header.Del("X-Forwarded-Host")
|
|
req.Header.Del("X-Forwarded-Port")
|
|
req.Header.Del("X-Forwarded-Proto")
|
|
|
|
if req.RemoteAddr != "" {
|
|
remoteAddr, _, err := net.SplitHostPort(req.RemoteAddr)
|
|
if err != nil {
|
|
remoteAddr = req.RemoteAddr
|
|
}
|
|
if req.Header.Get("X-Forwarded-For") != "" {
|
|
req.Header.Set("X-Forwarded-For", req.Header.Get("X-Forwarded-For")+", "+remoteAddr)
|
|
} else {
|
|
req.Header.Set("X-Forwarded-For", remoteAddr)
|
|
}
|
|
}
|
|
}
|
|
|
|
// ClearCookieHeader clear cookie header, except for cookies specified to be kept.
|
|
func ClearCookieHeader(req *http.Request, keepCookiesNames []string) {
|
|
var keepCookies []*http.Cookie
|
|
for _, c := range req.Cookies() {
|
|
for _, v := range keepCookiesNames {
|
|
if c.Name == v {
|
|
keepCookies = append(keepCookies, c)
|
|
}
|
|
}
|
|
}
|
|
|
|
req.Header.Del("Cookie")
|
|
for _, c := range keepCookies {
|
|
req.AddCookie(c)
|
|
}
|
|
}
|
|
|
|
// SetProxyResponseHeaders sets proxy response headers.
|
|
// Sets Content-Security-Policy: sandbox
|
|
func SetProxyResponseHeaders(header http.Header) {
|
|
header.Set("Content-Security-Policy", "sandbox")
|
|
}
|