Security: Use Header.Set and Header.Del for X-Grafana-User header (#25495)

This ensures that the X-Grafana-User header can be trusted. If the configuration enabled the setting of this header, the server can now trust that X-Grafana-User is set/unset by Grafana. Before this, an anonymous user could simply set the X-Grafana-User header themselves (using the developer tool for example)

Security: Use Header.Set and Header.Del for X-Grafana-User header (#25495)
This ensures that the X-Grafana-User header can be trusted. If the configuration enabled the setting of this header, the server can now trust that X-Grafana-User is set/unset by Grafana. Before this, an anonymous user could simply set the X-Grafana-User header themselves (using the developer tool for example)
034abaa7 · Robbert Gurdeep Singh · GitHub · 1e88e508 · 034abaa7 · 034abaa7
Commit 034abaa7 authored Jun 11, 2020 by Robbert Gurdeep Singh Committed by GitHub Jun 11, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 7 deletions

pkg/api/pluginproxy/ds_proxy.go
+1 -3

pkg/api/pluginproxy/pluginproxy.go
+2 -4

pkg/api/pluginproxy/utils.go
+9 -0

No files found.
--- a/pkg/api/pluginproxy/ds_proxy.go
+++ b/pkg/api/pluginproxy/ds_proxy.go
@@ -187,9 +187,7 @@ func (proxy *DataSourceProxy) getDirector() func(req *http.Request) {
 			req.Header.Add("Authorization", dsAuth)
 		}
-		if proxy.cfg.SendUserHeader && !proxy.ctx.SignedInUser.IsAnonymous {
+		applyUserHeader(proxy.cfg.SendUserHeader, req, proxy.ctx.SignedInUser)
-			req.Header.Add("X-Grafana-User", proxy.ctx.SignedInUser.Login)
-		}
 		keepCookieNames := []string{}
 		if proxy.ds.JsonData != nil {

--- a/pkg/api/pluginproxy/pluginproxy.go
+++ b/pkg/api/pluginproxy/pluginproxy.go
@@ -79,11 +79,9 @@ func NewApiPluginProxy(ctx *models.ReqContext, proxyPath string, route *plugins.
 			return
 		}
-		req.Header.Add("X-Grafana-Context", string(ctxJSON))
+		req.Header.Set("X-Grafana-Context", string(ctxJSON))
-		if cfg.SendUserHeader && !ctx.SignedInUser.IsAnonymous {
+		applyUserHeader(cfg.SendUserHeader, req, ctx.SignedInUser)
-			req.Header.Add("X-Grafana-User", ctx.SignedInUser.Login)
-		}
 		if len(route.Headers) > 0 {
 			headers, err := getHeaders(route, ctx.OrgId, appID)

--- a/pkg/api/pluginproxy/utils.go
+++ b/pkg/api/pluginproxy/utils.go
@@ -3,6 +3,7 @@ package pluginproxy
 import (
 	"bytes"
 	"fmt"
+	"net/http"
 	"net/url"
 	"text/template"
@@ -47,3 +48,11 @@ func InterpolateURL(anURL *url.URL, route *plugins.AppPluginRoute, orgID int64, 
 	return result, err
 }
+// Set the X-Grafana-User header if needed (and remove if not)
+func applyUserHeader(sendUserHeader bool, req *http.Request, user *models.SignedInUser) {
+	req.Header.Del("X-Grafana-User")
+	if sendUserHeader && !user.IsAnonymous {
+		req.Header.Set("X-Grafana-User", user.Login)
+	}
+}