Commit 69566a23 by Mitsuhiro Tanda

improve security of Prometheus datasource

parent d9b56281
......@@ -6,6 +6,7 @@ import (
"net/http"
"net/http/httputil"
"net/url"
"strings"
"time"
"github.com/grafana/grafana/pkg/api/cloudwatch"
......@@ -107,6 +108,13 @@ func ProxyDataSourceRequest(c *middleware.Context) {
proxyPath := c.Params("*")
if ds.Type == m.DS_PROMETHEUS {
if !(c.Req.Request.Method == "GET" && strings.Index(proxyPath, "api/") == 0) {
c.JsonApiErr(403, "GET is only allowed on proxied Prometheus datasource", nil)
return
}
}
if ds.Type == m.DS_ES {
if c.Req.Request.Method == "DELETE" {
c.JsonApiErr(403, "Deletes not allowed on proxied Elasticsearch datasource", nil)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment