Skip to content

N
nexpie-grafana-theme
Commit 5bd11744 by Torkel Ödegaard Committed by GitHub
Options

Merge pull request #13670 from svenklemm/metrics-segment-xss 

Escape values in metric segment and sql part
parents 34ef5e77 2803cdca
Showing with 10 additions and 9 deletions
public/app/core/components/query_part/query_part_editor.ts
...@@ -103,7 +103,7 @@ export function queryPartEditorDirective($compile, templateSrv) { ...@@ -103,7 +103,7 @@ export function queryPartEditorDirective($compile, templateSrv) {
$scope.$apply(() => { $scope.$apply(() => {
$scope.handleEvent({ $event: { name: 'get-param-options' } }).then(result => { $scope.handleEvent({ $event: { name: 'get-param-options' } }).then(result => {
const dynamicOptions = _.map(result, op => { const dynamicOptions = _.map(result, op => {
return op.value; return _.escape(op.value);
}); });
callback(dynamicOptions); callback(dynamicOptions);
}); });
...@@ -117,6 +117,7 @@ export function queryPartEditorDirective($compile, templateSrv) { ...@@ -117,6 +117,7 @@ export function queryPartEditorDirective($compile, templateSrv) {
minLength: 0, minLength: 0,
items: 1000, items: 1000,
updater: value => { updater: value => {
value = _.unescape(value);
setTimeout(() => { setTimeout(() => {
inputBlur.call($input[0], paramIndex); inputBlur.call($input[0], paramIndex);
}, 0); }, 0);
......
public/app/core/components/sql_part/sql_part_editor.ts
...@@ -109,12 +109,12 @@ export function sqlPartEditorDirective($compile, templateSrv) { ...@@ -109,12 +109,12 @@ export function sqlPartEditorDirective($compile, templateSrv) {
$scope.$apply(() => { $scope.$apply(() => {
$scope.handleEvent({ $event: { name: 'get-param-options', param: param } }).then(result => { $scope.handleEvent({ $event: { name: 'get-param-options', param: param } }).then(result => {
const dynamicOptions = _.map(result, op => { const dynamicOptions = _.map(result, op => {
return op.value; return _.escape(op.value);
}); });
// add current value to dropdown if it's not in dynamicOptions // add current value to dropdown if it's not in dynamicOptions
if (_.indexOf(dynamicOptions, part.params[paramIndex]) === -1) { if (_.indexOf(dynamicOptions, part.params[paramIndex]) === -1) {
dynamicOptions.unshift(part.params[paramIndex]); dynamicOptions.unshift(_.escape(part.params[paramIndex]));
} }
callback(dynamicOptions); callback(dynamicOptions);
...@@ -129,6 +129,7 @@ export function sqlPartEditorDirective($compile, templateSrv) { ...@@ -129,6 +129,7 @@ export function sqlPartEditorDirective($compile, templateSrv) {
minLength: 0, minLength: 0,
items: 1000, items: 1000,
updater: value => { updater: value => {
value = _.unescape(value);
if (value === part.params[paramIndex]) { if (value === part.params[paramIndex]) {
clearTimeout(cancelBlur); clearTimeout(cancelBlur);
$input.focus(); $input.focus();
......
public/app/core/directives/metric_segment.ts
...@@ -3,7 +3,7 @@ import $ from 'jquery'; ...@@ -3,7 +3,7 @@ import $ from 'jquery';
import coreModule from '../core_module'; import coreModule from '../core_module';
/** @ngInject */ /** @ngInject */
export function metricSegment($compile, $sce) { export function metricSegment($compile, $sce, templateSrv) {
const inputTemplate = const inputTemplate =
'<input type="text" data-provide="typeahead" ' + '<input type="text" data-provide="typeahead" ' +
' class="gf-form-input input-medium"' + ' class="gf-form-input input-medium"' +
...@@ -41,13 +41,11 @@ export function metricSegment($compile, $sce) { ...@@ -41,13 +41,11 @@ export function metricSegment($compile, $sce) {
return; return;
} }
value = _.unescape(value);
$scope.$apply(() => { $scope.$apply(() => {
const selected = _.find($scope.altSegments, { value: value }); const selected = _.find($scope.altSegments, { value: value });
if (selected) { if (selected) {
segment.value = selected.value; segment.value = selected.value;
segment.html = selected.html || selected.value; segment.html = selected.html || $sce.trustAsHtml(templateSrv.highlightVariablesAsHtml(selected.value));
segment.fake = false; segment.fake = false;
segment.expandable = selected.expandable; segment.expandable = selected.expandable;
...@@ -56,7 +54,7 @@ export function metricSegment($compile, $sce) { ...@@ -56,7 +54,7 @@ export function metricSegment($compile, $sce) {
} }
} else if (segment.custom !== 'false') { } else if (segment.custom !== 'false') {
segment.value = value; segment.value = value;
segment.html = $sce.trustAsHtml(value); segment.html = $sce.trustAsHtml(templateSrv.highlightVariablesAsHtml(value));
segment.expandable = true; segment.expandable = true;
segment.fake = false; segment.fake = false;
} }
...@@ -95,7 +93,7 @@ export function metricSegment($compile, $sce) { ...@@ -95,7 +93,7 @@ export function metricSegment($compile, $sce) {
// add custom values // add custom values
if (segment.custom !== 'false') { if (segment.custom !== 'false') {
if (!segment.fake && _.indexOf(options, segment.value) === -1) { if (!segment.fake && _.indexOf(options, segment.value) === -1) {
options.unshift(segment.value); options.unshift(_.escape(segment.value));
} }
} }
...@@ -105,6 +103,7 @@ export function metricSegment($compile, $sce) { ...@@ -105,6 +103,7 @@ export function metricSegment($compile, $sce) {
}; };
$scope.updater = value => { $scope.updater = value => {
value = _.unescape(value);
if (value === segment.value) { if (value === segment.value) {
clearTimeout(cancelBlur); clearTimeout(cancelBlur);
$input.focus(); $input.focus();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment