Commit 034abaa7 by Robbert Gurdeep Singh Committed by GitHub

Security: Use Header.Set and Header.Del for X-Grafana-User header (#25495)

This ensures that the X-Grafana-User header can be trusted.
If the configuration enabled the setting of this header, the
server can now trust that X-Grafana-User is set/unset by Grafana.
Before this, an anonymous user could simply set the X-Grafana-User
header themselves (using the developer tool for example)
parent 1e88e508
......@@ -187,9 +187,7 @@ func (proxy *DataSourceProxy) getDirector() func(req *http.Request) {
req.Header.Add("Authorization", dsAuth)
}
if proxy.cfg.SendUserHeader && !proxy.ctx.SignedInUser.IsAnonymous {
req.Header.Add("X-Grafana-User", proxy.ctx.SignedInUser.Login)
}
applyUserHeader(proxy.cfg.SendUserHeader, req, proxy.ctx.SignedInUser)
keepCookieNames := []string{}
if proxy.ds.JsonData != nil {
......
......@@ -79,11 +79,9 @@ func NewApiPluginProxy(ctx *models.ReqContext, proxyPath string, route *plugins.
return
}
req.Header.Add("X-Grafana-Context", string(ctxJSON))
req.Header.Set("X-Grafana-Context", string(ctxJSON))
if cfg.SendUserHeader && !ctx.SignedInUser.IsAnonymous {
req.Header.Add("X-Grafana-User", ctx.SignedInUser.Login)
}
applyUserHeader(cfg.SendUserHeader, req, ctx.SignedInUser)
if len(route.Headers) > 0 {
headers, err := getHeaders(route, ctx.OrgId, appID)
......
......@@ -3,6 +3,7 @@ package pluginproxy
import (
"bytes"
"fmt"
"net/http"
"net/url"
"text/template"
......@@ -47,3 +48,11 @@ func InterpolateURL(anURL *url.URL, route *plugins.AppPluginRoute, orgID int64,
return result, err
}
// Set the X-Grafana-User header if needed (and remove if not)
func applyUserHeader(sendUserHeader bool, req *http.Request, user *models.SignedInUser) {
req.Header.Del("X-Grafana-User")
if sendUserHeader && !user.IsAnonymous {
req.Header.Set("X-Grafana-User", user.Login)
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment