Affected by GO-2022-0342 and 27 other vulnerabilities

GO-2022-0342: Grafana XSS in Dashboard Text Panel in github.com/grafana/grafana

GO-2022-0707: Grafana Authentication Bypass in github.com/grafana/grafana

GO-2024-2483: Grafana XSS via adding a link in General feature in github.com/grafana/grafana

GO-2024-2510: Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana

GO-2024-2513: Grafana information disclosure in github.com/grafana/grafana

GO-2024-2515: Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana

GO-2024-2516: Grafana XSS via a column style in github.com/grafana/grafana

GO-2024-2517: Grafana XSS in header column rename in github.com/grafana/grafana

GO-2024-2519: Grafana world readable configuration files in github.com/grafana/grafana

GO-2024-2520: Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana

GO-2024-2523: Grafana stored XSS in github.com/grafana/grafana

GO-2024-2629: Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana

GO-2024-2661: Arbitrary file read in github.com/grafana/grafana

GO-2024-2697: Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana

GO-2024-2843: Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana

GO-2024-2844: Grafana User enumeration via forget password in github.com/grafana/grafana

GO-2024-2847: Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana

GO-2024-2848: Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana

GO-2024-2851: Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana

GO-2024-2852: Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana

GO-2024-2854: Grafana folders admin only permission privilege escalation in github.com/grafana/grafana

GO-2024-2855: Grafana Plugin signature bypass in github.com/grafana/grafana

GO-2024-2856: Grafana Race condition allowing privilege escalation in github.com/grafana/grafana

GO-2024-2857: Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana

GO-2024-2867: Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana

GO-2024-3079: Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana

GO-2024-3215: Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana

GO-2024-3240: Grafana org admin can delete pending invites in different org in github.com/grafana/grafana

auth

package

v0.0.0-cloud Latest Latest Go to latest Published: Mar 30, 2023 License: AGPL-3.0 Imports: 9 Imported by: 85

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/grafana/grafana

Documentation ¶

Index ¶

Constants
Variables
type CreateTokenErr
- func (e *CreateTokenErr) Error() string
type JWTVerifierService
type RevokeAuthTokenCmd
type RotateCommand
type TokenExpiredError
- func (e *TokenExpiredError) Error() string
- func (e *TokenExpiredError) Unwrap() error
type TokenRevokedError
type UserToken
type UserTokenBackgroundService
type UserTokenService

Constants ¶

View Source

const (
	QuotaTargetSrv quota.TargetSrv = "auth"
	QuotaTarget    quota.Target    = "session"
)

Variables ¶

View Source

var (
	ErrUserTokenNotFound   = errors.New("user token not found")
	ErrInvalidSessionToken = usertoken.ErrInvalidSessionToken
)

Typed errors

Functions ¶

This section is empty.

Types ¶

type CreateTokenErr ¶

type CreateTokenErr struct {
	StatusCode  int
	InternalErr error
	ExternalErr string
}

CreateTokenErr represents a token creation error; used in Enterprise

func (*CreateTokenErr) Error ¶

func (e *CreateTokenErr) Error() string

type JWTVerifierService ¶

type JWTVerifierService = jwt.JWTService

type RevokeAuthTokenCmd ¶

type RevokeAuthTokenCmd struct {
	AuthTokenId int64 `json:"authTokenId"`
}

type RotateCommand ¶

type RotateCommand struct {
	// token is the un-hashed token
	UnHashedToken string
	IP            net.IP
	UserAgent     string
}

type TokenExpiredError ¶

type TokenExpiredError struct {
	UserID  int64
	TokenID int64
}

func (*TokenExpiredError) Error ¶

func (e *TokenExpiredError) Error() string

func (*TokenExpiredError) Unwrap ¶

func (e *TokenExpiredError) Unwrap() error

type TokenRevokedError ¶

type TokenRevokedError = usertoken.TokenRevokedError

type UserToken ¶

type UserToken = usertoken.UserToken

type UserTokenBackgroundService ¶

type UserTokenBackgroundService interface {
	registry.BackgroundService
}

type UserTokenService ¶

type UserTokenService interface {
	CreateToken(ctx context.Context, user *user.User, clientIP net.IP, userAgent string) (*UserToken, error)
	LookupToken(ctx context.Context, unhashedToken string) (*UserToken, error)
	// RotateToken will always rotate a valid token
	RotateToken(ctx context.Context, cmd RotateCommand) (*UserToken, error)
	TryRotateToken(ctx context.Context, token *UserToken, clientIP net.IP, userAgent string) (bool, *UserToken, error)
	RevokeToken(ctx context.Context, token *UserToken, soft bool) error
	RevokeAllUserTokens(ctx context.Context, userId int64) error
	GetUserToken(ctx context.Context, userId, userTokenId int64) (*UserToken, error)
	GetUserTokens(ctx context.Context, userId int64) ([]*UserToken, error)
	GetUserRevokedTokens(ctx context.Context, userId int64) ([]*UserToken, error)
}

UserTokenService are used for generating and validating user tokens

Source Files ¶

View all Source files

auth.go

Directories ¶

Path	Synopsis
authimpl
authtest
jwt

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL