Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
N
nexpie-grafana-theme
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Registry
Registry
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kornkitt Poolsup
nexpie-grafana-theme
Commits
c856c21b
Unverified
Commit
c856c21b
authored
Nov 19, 2018
by
Torkel Ödegaard
Committed by
GitHub
Nov 19, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #14116 from cinaglia/fix-singlestat-xss
Mitigate XSS vulnerabilities in Singlestat panel
parents
959d7036
ba5a0023
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
13 additions
and
21 deletions
+13
-21
public/app/plugins/panel/singlestat/module.ts
+10
-20
public/app/plugins/panel/singlestat/specs/singlestat.test.ts
+3
-1
No files found.
public/app/plugins/panel/singlestat/module.ts
View file @
c856c21b
...
@@ -77,7 +77,7 @@ class SingleStatCtrl extends MetricsPanelCtrl {
...
@@ -77,7 +77,7 @@ class SingleStatCtrl extends MetricsPanelCtrl {
};
};
/** @ngInject */
/** @ngInject */
constructor
(
$scope
,
$injector
,
private
linkSrv
)
{
constructor
(
$scope
,
$injector
,
private
linkSrv
,
private
$sanitize
)
{
super
(
$scope
,
$injector
);
super
(
$scope
,
$injector
);
_
.
defaults
(
this
.
panel
,
this
.
panelDefaults
);
_
.
defaults
(
this
.
panel
,
this
.
panelDefaults
);
...
@@ -398,14 +398,15 @@ class SingleStatCtrl extends MetricsPanelCtrl {
...
@@ -398,14 +398,15 @@ class SingleStatCtrl extends MetricsPanelCtrl {
const
$location
=
this
.
$location
;
const
$location
=
this
.
$location
;
const
linkSrv
=
this
.
linkSrv
;
const
linkSrv
=
this
.
linkSrv
;
const
$timeout
=
this
.
$timeout
;
const
$timeout
=
this
.
$timeout
;
const
$sanitize
=
this
.
$sanitize
;
const
panel
=
ctrl
.
panel
;
const
panel
=
ctrl
.
panel
;
const
templateSrv
=
this
.
templateSrv
;
const
templateSrv
=
this
.
templateSrv
;
let
data
,
linkInfo
;
let
data
,
linkInfo
;
const
$panelContainer
=
elem
.
find
(
'.panel-container'
);
const
$panelContainer
=
elem
.
find
(
'.panel-container'
);
elem
=
elem
.
find
(
'.singlestat-panel'
);
elem
=
elem
.
find
(
'.singlestat-panel'
);
function
applyColoringThresholds
(
value
,
value
String
)
{
function
applyColoringThresholds
(
valueString
)
{
const
color
=
getColorForValue
(
data
,
value
);
const
color
=
getColorForValue
(
data
,
data
.
value
);
if
(
color
)
{
if
(
color
)
{
return
'<span style="color:'
+
color
+
'">'
+
valueString
+
'</span>'
;
return
'<span style="color:'
+
color
+
'">'
+
valueString
+
'</span>'
;
}
}
...
@@ -413,8 +414,9 @@ class SingleStatCtrl extends MetricsPanelCtrl {
...
@@ -413,8 +414,9 @@ class SingleStatCtrl extends MetricsPanelCtrl {
return
valueString
;
return
valueString
;
}
}
function
getSpan
(
className
,
fontSize
,
value
)
{
function
getSpan
(
className
,
fontSize
,
applyColoring
,
value
)
{
value
=
templateSrv
.
replace
(
value
,
data
.
scopedVars
);
value
=
$sanitize
(
templateSrv
.
replace
(
value
,
data
.
scopedVars
));
value
=
applyColoring
?
applyColoringThresholds
(
value
)
:
value
;
return
'<span class="'
+
className
+
'" style="font-size:'
+
fontSize
+
'">'
+
value
+
'</span>'
;
return
'<span class="'
+
className
+
'" style="font-size:'
+
fontSize
+
'">'
+
value
+
'</span>'
;
}
}
...
@@ -422,25 +424,13 @@ class SingleStatCtrl extends MetricsPanelCtrl {
...
@@ -422,25 +424,13 @@ class SingleStatCtrl extends MetricsPanelCtrl {
let
body
=
'<div class="singlestat-panel-value-container">'
;
let
body
=
'<div class="singlestat-panel-value-container">'
;
if
(
panel
.
prefix
)
{
if
(
panel
.
prefix
)
{
let
prefix
=
panel
.
prefix
;
body
+=
getSpan
(
'singlestat-panel-prefix'
,
panel
.
prefixFontSize
,
panel
.
colorPrefix
,
panel
.
prefix
);
if
(
panel
.
colorPrefix
)
{
prefix
=
applyColoringThresholds
(
data
.
value
,
panel
.
prefix
);
}
body
+=
getSpan
(
'singlestat-panel-prefix'
,
panel
.
prefixFontSize
,
prefix
);
}
}
let
value
=
data
.
valueFormatted
;
body
+=
getSpan
(
'singlestat-panel-value'
,
panel
.
valueFontSize
,
panel
.
colorValue
,
data
.
valueFormatted
);
if
(
panel
.
colorValue
)
{
value
=
applyColoringThresholds
(
data
.
value
,
value
);
}
body
+=
getSpan
(
'singlestat-panel-value'
,
panel
.
valueFontSize
,
value
);
if
(
panel
.
postfix
)
{
if
(
panel
.
postfix
)
{
let
postfix
=
panel
.
postfix
;
body
+=
getSpan
(
'singlestat-panel-postfix'
,
panel
.
postfixFontSize
,
panel
.
colorPostfix
,
panel
.
postfix
);
if
(
panel
.
colorPostfix
)
{
postfix
=
applyColoringThresholds
(
data
.
value
,
panel
.
postfix
);
}
body
+=
getSpan
(
'singlestat-panel-postfix'
,
panel
.
postfixFontSize
,
postfix
);
}
}
body
+=
'</div>'
;
body
+=
'</div>'
;
...
...
public/app/plugins/panel/singlestat/specs/singlestat.test.ts
View file @
c856c21b
...
@@ -14,6 +14,8 @@ describe('SingleStatCtrl', () => {
...
@@ -14,6 +14,8 @@ describe('SingleStatCtrl', () => {
get
:
()
=>
{},
get
:
()
=>
{},
};
};
const
$sanitize
=
{};
SingleStatCtrl
.
prototype
.
panel
=
{
SingleStatCtrl
.
prototype
.
panel
=
{
events
:
{
events
:
{
on
:
()
=>
{},
on
:
()
=>
{},
...
@@ -31,7 +33,7 @@ describe('SingleStatCtrl', () => {
...
@@ -31,7 +33,7 @@ describe('SingleStatCtrl', () => {
describe
(
desc
,
()
=>
{
describe
(
desc
,
()
=>
{
ctx
.
setup
=
setupFunc
=>
{
ctx
.
setup
=
setupFunc
=>
{
beforeEach
(()
=>
{
beforeEach
(()
=>
{
ctx
.
ctrl
=
new
SingleStatCtrl
(
$scope
,
$injector
,
{});
ctx
.
ctrl
=
new
SingleStatCtrl
(
$scope
,
$injector
,
{}
,
$sanitize
);
setupFunc
();
setupFunc
();
ctx
.
ctrl
.
onDataReceived
(
ctx
.
data
);
ctx
.
ctrl
.
onDataReceived
(
ctx
.
data
);
ctx
.
data
=
ctx
.
ctrl
.
data
;
ctx
.
data
=
ctx
.
ctrl
.
data
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment