Affected by GO-2024-2483 and 22 other vulnerabilities

GO-2024-2483: Grafana XSS via adding a link in General feature in github.com/grafana/grafana

GO-2024-2510: Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana

GO-2024-2513: Grafana information disclosure in github.com/grafana/grafana

GO-2024-2515: Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana

GO-2024-2516: Grafana XSS via a column style in github.com/grafana/grafana

GO-2024-2517: Grafana XSS in header column rename in github.com/grafana/grafana

GO-2024-2519: Grafana world readable configuration files in github.com/grafana/grafana

GO-2024-2520: Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana

GO-2024-2523: Grafana stored XSS in github.com/grafana/grafana

GO-2024-2629: Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana

GO-2024-2661: Arbitrary file read in github.com/grafana/grafana

GO-2024-2697: Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana

GO-2024-2843: Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana

GO-2024-2844: Grafana User enumeration via forget password in github.com/grafana/grafana

GO-2024-2847: Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana

GO-2024-2848: Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana

GO-2024-2851: Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana

GO-2024-2852: Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana

GO-2024-2854: Grafana folders admin only permission privilege escalation in github.com/grafana/grafana

GO-2024-2855: Grafana Plugin signature bypass in github.com/grafana/grafana

GO-2024-2856: Grafana Race condition allowing privilege escalation in github.com/grafana/grafana

GO-2024-2857: Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana

GO-2024-2867: Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana

middleware

package

v0.0.0-testrgm4 Latest Latest Go to latest Published: Jul 21, 2023 License: AGPL-3.0 Imports: 56 Imported by: 680

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/grafana/grafana

Documentation ¶

Index ¶

Variables
func AddCustomResponseHeaders(cfg *setting.Cfg) web.Handler
func AddDefaultResponseHeaders(cfg *setting.Cfg) web.Handler
func AdminOrEditorAndFeatureEnabled(enabled bool) web.Handler
func Auth(options *AuthOptions) web.Handler
func CanAdminPlugins(cfg *setting.Cfg) func(c *contextmodel.ReqContext)
func ContentSecurityPolicy(cfg *setting.Cfg, logger log.Logger) func(http.Handler) http.Handler
func EnsureEditorOrViewerCanEdit(cfg *setting.Cfg) func(c *contextmodel.ReqContext)
func Gziper() func(http.Handler) http.Handler
func HandleNoCacheHeader(ctx *contextmodel.ReqContext)
func NoAuth() web.Handler
func OrgAdminDashOrFolderAdminOrTeamAdmin(ss db.DB, ds dashboards.DashboardService, ts team.Service) func(c *contextmodel.ReqContext)
func OrgRedirect(cfg *setting.Cfg, userSvc user.Service) web.Handler
func ProvideRouteOperationName(name string) web.Handler
func Quota(quotaService quota.Service) func(string) web.Handler
func Recovery(cfg *setting.Cfg) web.Middleware
func RedirectFromLegacyPanelEditURL(cfg *setting.Cfg) func(c *contextmodel.ReqContext)
func ReqNotSignedIn(c *contextmodel.ReqContext)
func RequestMetrics(features featuremgmt.FeatureToggles) web.Middleware
func RequestTracing(tracer tracing.Tracer) web.Middleware
func RoleAuth(roles ...org.RoleType) web.Handler
func RouteOperationName(req *http.Request) (string, bool)
func SnapshotPublicModeOrSignedIn(cfg *setting.Cfg) web.Handler
func ValidateHostHeader(cfg *setting.Cfg) web.Handler
type AuthOptions

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ReqGrafanaAdmin = Auth(&AuthOptions{
		ReqSignedIn:     true,
		ReqGrafanaAdmin: true,
	})
	ReqSignedIn            = Auth(&AuthOptions{ReqSignedIn: true})
	ReqSignedInNoAnonymous = Auth(&AuthOptions{ReqSignedIn: true, ReqNoAnonynmous: true})
	ReqEditorRole          = RoleAuth(org.RoleEditor, org.RoleAdmin)
	ReqOrgAdmin            = RoleAuth(org.RoleAdmin)
)

Functions ¶

func AddCustomResponseHeaders ¶

func AddCustomResponseHeaders(cfg *setting.Cfg) web.Handler

func AddDefaultResponseHeaders ¶

func AddDefaultResponseHeaders(cfg *setting.Cfg) web.Handler

func AdminOrEditorAndFeatureEnabled ¶

func AdminOrEditorAndFeatureEnabled(enabled bool) web.Handler

AdminOrEditorAndFeatureEnabled creates a middleware that allows access if the signed in user is either an Org Admin or if they are an Org Editor and the feature flag is enabled. Intended for when feature flags open up access to APIs that are otherwise only available to admins.

func Auth ¶

func Auth(options *AuthOptions) web.Handler

func CanAdminPlugins ¶

func CanAdminPlugins(cfg *setting.Cfg) func(c *contextmodel.ReqContext)

func ContentSecurityPolicy ¶

func ContentSecurityPolicy(cfg *setting.Cfg, logger log.Logger) func(http.Handler) http.Handler

ContentSecurityPolicy sets the configured Content-Security-Policy and/or Content-Security-Policy-Report-Only header(s) in the response.

func EnsureEditorOrViewerCanEdit ¶

func EnsureEditorOrViewerCanEdit(cfg *setting.Cfg) func(c *contextmodel.ReqContext)

func Gziper ¶

func Gziper() func(http.Handler) http.Handler

func HandleNoCacheHeader ¶

func HandleNoCacheHeader(ctx *contextmodel.ReqContext)

func NoAuth ¶

func NoAuth() web.Handler

NoAuth creates a middleware that doesn't require any authentication. If forceLogin param is set it will redirect the user to the login page.

func OrgAdminDashOrFolderAdminOrTeamAdmin ¶

func OrgAdminDashOrFolderAdminOrTeamAdmin(ss db.DB, ds dashboards.DashboardService, ts team.Service) func(c *contextmodel.ReqContext)

func OrgRedirect ¶

func OrgRedirect(cfg *setting.Cfg, userSvc user.Service) web.Handler

OrgRedirect changes org and redirects users if the querystring `orgId` doesn't match the active org.

func ProvideRouteOperationName ¶

func ProvideRouteOperationName(name string) web.Handler

ProvideRouteOperationName creates a named middleware responsible for populating the context with the route operation name that can be used later in the request pipeline. Implements routing.RegisterNamedMiddleware.

func Quota ¶

func Quota(quotaService quota.Service) func(string) web.Handler

Quota returns a function that returns a function used to call quotaservice based on target name

func Recovery ¶

func Recovery(cfg *setting.Cfg) web.Middleware

Recovery returns a middleware that recovers from any panics and writes a 500 if there was one. While Martini is in development mode, Recovery will also output the panic as HTML.

func RedirectFromLegacyPanelEditURL ¶

func RedirectFromLegacyPanelEditURL(cfg *setting.Cfg) func(c *contextmodel.ReqContext)

In Grafana v7.0 we changed panel edit & view query parameters. This middleware tries to detect those old url parameters and direct to the new url query params

func ReqNotSignedIn ¶

func ReqNotSignedIn(c *contextmodel.ReqContext)

func RequestMetrics ¶

func RequestMetrics(features featuremgmt.FeatureToggles) web.Middleware

RequestMetrics is a middleware handler that instruments the request.

func RequestTracing ¶

func RequestTracing(tracer tracing.Tracer) web.Middleware

func RoleAuth ¶

func RoleAuth(roles ...org.RoleType) web.Handler

func RouteOperationName ¶

func RouteOperationName(req *http.Request) (string, bool)

RouteOperationName receives the route operation name from context, if set.

func SnapshotPublicModeOrSignedIn ¶

func SnapshotPublicModeOrSignedIn(cfg *setting.Cfg) web.Handler

SnapshotPublicModeOrSignedIn creates a middleware that allows access if snapshot public mode is enabled or if user is signed in.

func ValidateHostHeader ¶

func ValidateHostHeader(cfg *setting.Cfg) web.Handler

Types ¶

type AuthOptions ¶

type AuthOptions struct {
	ReqGrafanaAdmin bool
	ReqSignedIn     bool
	ReqNoAnonynmous bool
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cookies
csrf
loggermw

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL