Affected by GO-2022-0342 and 28 other vulnerabilities

GO-2022-0342: Grafana XSS in Dashboard Text Panel in github.com/grafana/grafana

GO-2022-0707: Grafana Authentication Bypass in github.com/grafana/grafana

GO-2024-2483: Grafana XSS via adding a link in General feature in github.com/grafana/grafana

GO-2024-2510: Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana

GO-2024-2513: Grafana information disclosure in github.com/grafana/grafana

GO-2024-2515: Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana

GO-2024-2516: Grafana XSS via a column style in github.com/grafana/grafana

GO-2024-2517: Grafana XSS in header column rename in github.com/grafana/grafana

GO-2024-2519: Grafana world readable configuration files in github.com/grafana/grafana

GO-2024-2520: Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana

GO-2024-2523: Grafana stored XSS in github.com/grafana/grafana

GO-2024-2629: Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana

GO-2024-2661: Arbitrary file read in github.com/grafana/grafana

GO-2024-2697: Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana

GO-2024-2843: Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana

GO-2024-2844: Grafana User enumeration via forget password in github.com/grafana/grafana

GO-2024-2847: Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana

GO-2024-2848: Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana

GO-2024-2851: Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana

GO-2024-2852: Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana

GO-2024-2854: Grafana folders admin only permission privilege escalation in github.com/grafana/grafana

GO-2024-2855: Grafana Plugin signature bypass in github.com/grafana/grafana

GO-2024-2856: Grafana Race condition allowing privilege escalation in github.com/grafana/grafana

GO-2024-2857: Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana

GO-2024-2867: Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana

GO-2024-3079: Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana

GO-2024-3215: Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana

GO-2024-3240: Grafana org admin can delete pending invites in different org in github.com/grafana/grafana

GO-2025-3438: Grafana Alerting VictorOps integration could be exposed to users with Viewer permission in github.com/grafana/grafana

guardian

package

v0.0.1-test Latest Latest Go to latest Published: Oct 6, 2022 License: AGPL-3.0 Imports: 11 Imported by: 215

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/grafana/grafana

Documentation ¶

Index ¶

Variables
func InitAccessControlGuardian(store sqlstore.Store, ac accesscontrol.AccessControl, ...)
func InitLegacyGuardian(store sqlstore.Store, dashSvc dashboards.DashboardService, ...)
func MockDashboardGuardian(mock *FakeDashboardGuardian)
type AccessControlDashboardGuardian
- func NewAccessControlDashboardGuardian(ctx context.Context, dashboardId int64, user *user.SignedInUser, ...) *AccessControlDashboardGuardian
type DashboardGuardian
type FakeDashboardGuardian
type Provider
- func ProvideService(store *sqlstore.SQLStore, ac accesscontrol.AccessControl, ...) *Provider

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrGuardianPermissionExists = errors.New("permission already exists")
	ErrGuardianOverride         = errors.New("you can only override a permission to be higher")
)

View Source

var New = func(ctx context.Context, dashId int64, orgId int64, user *user.SignedInUser) DashboardGuardian {
	panic("no guardian factory implementation provided")
}

New factory for creating a new dashboard guardian instance When using access control this function is replaced on startup and the AccessControlDashboardGuardian is returned

Functions ¶

func InitAccessControlGuardian ¶

func InitAccessControlGuardian(
	store sqlstore.Store, ac accesscontrol.AccessControl, folderPermissionsService accesscontrol.FolderPermissionsService,
	dashboardPermissionsService accesscontrol.DashboardPermissionsService, dashboardService dashboards.DashboardService,
)

func InitLegacyGuardian ¶

func InitLegacyGuardian(store sqlstore.Store, dashSvc dashboards.DashboardService, teamSvc team.Service)

func MockDashboardGuardian ¶

func MockDashboardGuardian(mock *FakeDashboardGuardian)

nolint:unused

Types ¶

type AccessControlDashboardGuardian ¶

type AccessControlDashboardGuardian struct {
	// contains filtered or unexported fields
}

func NewAccessControlDashboardGuardian ¶

func NewAccessControlDashboardGuardian(
	ctx context.Context, dashboardId int64, user *user.SignedInUser,
	store sqlstore.Store, ac accesscontrol.AccessControl,
	folderPermissionsService accesscontrol.FolderPermissionsService,
	dashboardPermissionsService accesscontrol.DashboardPermissionsService,
	dashboardService dashboards.DashboardService,
) *AccessControlDashboardGuardian

func (*AccessControlDashboardGuardian) CanAdmin ¶

func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error)

func (*AccessControlDashboardGuardian) CanCreate ¶

func (a *AccessControlDashboardGuardian) CanCreate(folderID int64, isFolder bool) (bool, error)

func (*AccessControlDashboardGuardian) CanDelete ¶

func (a *AccessControlDashboardGuardian) CanDelete() (bool, error)

func (*AccessControlDashboardGuardian) CanEdit ¶

func (a *AccessControlDashboardGuardian) CanEdit() (bool, error)

func (*AccessControlDashboardGuardian) CanSave ¶

func (a *AccessControlDashboardGuardian) CanSave() (bool, error)

func (*AccessControlDashboardGuardian) CanView ¶

func (a *AccessControlDashboardGuardian) CanView() (bool, error)

func (*AccessControlDashboardGuardian) CheckPermissionBeforeUpdate ¶

func (a *AccessControlDashboardGuardian) CheckPermissionBeforeUpdate(permission models.PermissionType, updatePermissions []*models.DashboardACL) (bool, error)

func (*AccessControlDashboardGuardian) GetACL ¶

func (a *AccessControlDashboardGuardian) GetACL() ([]*models.DashboardACLInfoDTO, error)

GetACL translate access control permissions to dashboard acl info

func (*AccessControlDashboardGuardian) GetACLWithoutDuplicates ¶

func (a *AccessControlDashboardGuardian) GetACLWithoutDuplicates() ([]*models.DashboardACLInfoDTO, error)

func (*AccessControlDashboardGuardian) GetHiddenACL ¶

func (a *AccessControlDashboardGuardian) GetHiddenACL(cfg *setting.Cfg) ([]*models.DashboardACL, error)

type DashboardGuardian ¶

type DashboardGuardian interface {
	CanSave() (bool, error)
	CanEdit() (bool, error)
	CanView() (bool, error)
	CanAdmin() (bool, error)
	CanDelete() (bool, error)
	CanCreate(folderID int64, isFolder bool) (bool, error)
	CheckPermissionBeforeUpdate(permission models.PermissionType, updatePermissions []*models.DashboardACL) (bool, error)

	// GetACL returns ACL.
	GetACL() ([]*models.DashboardACLInfoDTO, error)

	// GetACLWithoutDuplicates returns ACL and strips any permission
	// that already has an inherited permission with higher or equal
	// permission.
	GetACLWithoutDuplicates() ([]*models.DashboardACLInfoDTO, error)
	GetHiddenACL(*setting.Cfg) ([]*models.DashboardACL, error)
}

DashboardGuardian to be used for guard against operations without access on dashboard and acl

type FakeDashboardGuardian ¶

type FakeDashboardGuardian struct {
	DashId                           int64
	OrgId                            int64
	User                             *user.SignedInUser
	CanSaveValue                     bool
	CanEditValue                     bool
	CanViewValue                     bool
	CanAdminValue                    bool
	HasPermissionValue               bool
	CheckPermissionBeforeUpdateValue bool
	CheckPermissionBeforeUpdateError error
	GetACLValue                      []*models.DashboardACLInfoDTO
	GetHiddenACLValue                []*models.DashboardACL
}

nolint:unused

func (*FakeDashboardGuardian) CanAdmin ¶

func (g *FakeDashboardGuardian) CanAdmin() (bool, error)

func (*FakeDashboardGuardian) CanCreate ¶

func (g *FakeDashboardGuardian) CanCreate(_ int64, _ bool) (bool, error)

func (*FakeDashboardGuardian) CanDelete ¶

func (g *FakeDashboardGuardian) CanDelete() (bool, error)

func (*FakeDashboardGuardian) CanEdit ¶

func (g *FakeDashboardGuardian) CanEdit() (bool, error)

func (*FakeDashboardGuardian) CanSave ¶

func (g *FakeDashboardGuardian) CanSave() (bool, error)

func (*FakeDashboardGuardian) CanView ¶

func (g *FakeDashboardGuardian) CanView() (bool, error)

func (*FakeDashboardGuardian) CheckPermissionBeforeUpdate ¶

func (g *FakeDashboardGuardian) CheckPermissionBeforeUpdate(permission models.PermissionType, updatePermissions []*models.DashboardACL) (bool, error)

func (*FakeDashboardGuardian) GetACL ¶

func (g *FakeDashboardGuardian) GetACL() ([]*models.DashboardACLInfoDTO, error)

func (*FakeDashboardGuardian) GetACLWithoutDuplicates ¶

func (g *FakeDashboardGuardian) GetACLWithoutDuplicates() ([]*models.DashboardACLInfoDTO, error)

func (*FakeDashboardGuardian) GetHiddenACL ¶

func (g *FakeDashboardGuardian) GetHiddenACL(cfg *setting.Cfg) ([]*models.DashboardACL, error)

func (*FakeDashboardGuardian) HasPermission ¶

func (g *FakeDashboardGuardian) HasPermission(permission models.PermissionType) (bool, error)

type Provider ¶

type Provider struct{}

func ProvideService ¶

func ProvideService(
	store *sqlstore.SQLStore, ac accesscontrol.AccessControl,
	folderPermissionsService accesscontrol.FolderPermissionsService, dashboardPermissionsService accesscontrol.DashboardPermissionsService,
	dashboardService dashboards.DashboardService, teamService team.Service,
) *Provider

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL