Grafana Queries

ql/src/security/CWE-200/GrafanaExternalSnapshotsEnabled.md

@@ -0,0 +1,69 @@
+# External snapshots enabled in Grafana
+
+This query identifies Microsoft.Dashboard/grafana resources that have external snapshots enabled, which could potentially lead to data leakage.
+
+## Description
+
+Grafana allows users to create and share snapshots of dashboards. When the `externalEnabled` property in the snapshots configuration is set to `true`, users can publish these snapshots to an external, public snapshot server. This means that dashboard data, which may include sensitive metrics or information, could be shared outside of your organization.
+
+External snapshots are stored on a public server provided by Grafana Labs, and anyone with the link can view the snapshot. This creates a risk of sensitive data exposure if users inadvertently share snapshots containing confidential information.
+
+## Recommendation
+
+Unless external snapshots are specifically required for your use case, disable external snapshots by setting the `externalEnabled` property to `false`. This ensures that snapshots can only be shared internally within your Grafana instance, reducing the risk of accidental data leakage.
+
+## Example of vulnerable code
+
+```bicep
+resource vulnerableGrafana 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'grafana-external-snapshots'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      snapshots: {
+        externalEnabled: true  // Vulnerable: External snapshots are enabled
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+```
+
+## Example of secure code
+
+```bicep
+resource secureGrafana 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'grafana-internal-snapshots'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      snapshots: {
+        externalEnabled: false  // Secure: External snapshots are disabled
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// Alternative: omit the snapshots configuration block entirely to use default settings
+resource secureGrafanaAlt 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'grafana-default-snapshots'
+  location: 'eastus'
+  properties: {
+    // No explicit snapshots configuration, using defaults
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+```
+
+## References
+
+* [Grafana snapshot documentation](https://grafana.com/docs/grafana/latest/dashboards/share-dashboards-panels/#publish-a-snapshot)
+* [Azure Managed Grafana documentation](https://learn.microsoft.com/en-us/azure/managed-grafana/)
+* [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html)

ql/src/security/CWE-200/GrafanaExternalSnapshotsEnabled.ql

@@ -0,0 +1,31 @@
+/**
+ * @name External snapshots enabled in Grafana
+ * @description External snapshots in Grafana allow sharing dashboard data with external services,
+ *              which could potentially lead to data leakage.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 4.0
+ * @precision high
+ * @id bicep/grafana-external-snapshots-enabled
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-200
+ */
+
+import bicep
+import codeql.bicep.frameworks.Microsoft.Dashboards
+
+from Dashboards::GrafanaResource grafana, 
+     Dashboards::GrafanaProperties::Properties props,
+     Dashboards::GrafanaProperties::GrafanaConfigurations configs,
+     Dashboards::GrafanaProperties::Snapshots snapshots
+where 
+  props = grafana.getProperties() and
+  configs = props.getGrafanaConfigurations() and
+  snapshots = configs.getSnapshots() and
+  snapshots.hasExternalEnabled() and
+  snapshots.externalEnabled() = true
+select snapshots, 
+       "External snapshots are enabled in Grafana configuration, which could lead to " +
+       "unintended sharing of dashboard data with external services."

ql/src/security/CWE-272/GrafanaExcessiveEditorPermissions.md

@@ -0,0 +1,74 @@
+# Excessive permissions for Grafana editors
+
+This query identifies Microsoft.Dashboard/grafana resources that grant administrative capabilities to editor users, which reduces the effectiveness of access control and can lead to privilege escalation.
+
+## Description
+
+Azure Managed Grafana supports different user roles with varying levels of permissions. The `editorsCanAdmin` property in the users configuration determines whether users with the editor role can administrate dashboards, folders, and teams they create. When set to `true`, editors gain administrative capabilities that go beyond their standard role, potentially violating the principle of least privilege.
+
+This configuration can lead to unintended privilege escalation, where editors gain more control over the Grafana instance than intended. It could result in unauthorized access to sensitive data, changes to important dashboards, or modifications to team permissions.
+
+## Recommendation
+
+Follow the principle of least privilege by setting the `editorsCanAdmin` property to `false` or omitting it (the default is `false`). If certain users need administrative capabilities, consider granting them the admin role instead of elevating all editors' permissions.
+
+## Example of vulnerable code
+
+```bicep
+resource vulnerableGrafana 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'grafana-excessive-editor-perms'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        editorsCanAdmin: true  // Vulnerable: Editors have admin capabilities
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+```
+
+## Example of secure code
+
+```bicep
+resource secureGrafana 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'grafana-proper-editor-perms'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        editorsCanAdmin: false  // Secure: Editors do not have admin capabilities
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// Alternative: omit the editorsCanAdmin property to use default (false)
+resource secureGrafanaAlt 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'grafana-default-editor-perms'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        // editorsCanAdmin property omitted (defaults to false)
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+```
+
+## References
+
+* [Grafana user permissions documentation](https://grafana.com/docs/grafana/latest/administration/user-management/user-roles/)
+* [Azure Managed Grafana documentation](https://learn.microsoft.com/en-us/azure/managed-grafana/)
+* [CWE-272: Least Privilege Violation](https://cwe.mitre.org/data/definitions/272.html)
+* [Principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege)

ql/src/security/CWE-272/GrafanaExcessiveEditorPermissions.ql

@@ -0,0 +1,31 @@
+/**
+ * @name Excessive permissions for Grafana editors
+ * @description Granting admin permissions to editors reduces the effectiveness of access control
+ *              and can lead to privilege escalation.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id bicep/grafana-excessive-editor-permissions
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-272
+ */
+
+import bicep
+import codeql.bicep.frameworks.Microsoft.Dashboards
+
+from Dashboards::GrafanaResource grafana, 
+     Dashboards::GrafanaProperties::Properties props,
+     Dashboards::GrafanaProperties::GrafanaConfigurations configs,
+     Dashboards::GrafanaProperties::Users users
+where 
+  props = grafana.getProperties() and
+  configs = props.getGrafanaConfigurations() and
+  users = configs.getUsers() and
+  users.hasEditorsCanAdmin() and
+  users.editorsCanAdmin() = true
+select users, 
+       "Excessive permissions granted to Grafana editors (editorsCanAdmin=true). " +
+       "This allows editors to administrate dashboards, folders and teams they create."

ql/src/security/CWE-272/GrafanaExcessiveViewerPermissions.md

@@ -0,0 +1,74 @@
+# Excessive permissions for Grafana viewers
+
+This query identifies Microsoft.Dashboard/grafana resources that grant edit capabilities to viewer users, which reduces the effectiveness of access control and can lead to unauthorized changes to dashboards.
+
+## Description
+
+Azure Managed Grafana supports different user roles with varying levels of permissions. The `viewersCanEdit` property in the users configuration determines whether users with the viewer role can make temporary edits to dashboards they have access to. When set to `true`, viewers gain more capabilities than they typically should have based on the principle of least privilege.
+
+While these edits are temporary and cannot be saved permanently, it still represents a weakening of the role-based access control model and could lead to confusion, accidental changes, or potential misuse of the dashboard data.
+
+## Recommendation
+
+Follow the principle of least privilege by setting the `viewersCanEdit` property to `false` or omitting it (the default is `false`). If certain users need to make edits to dashboards, consider granting them the editor role instead of giving all viewers edit capabilities.
+
+## Example of vulnerable code
+
+```bicep
+resource vulnerableGrafana 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'grafana-excessive-viewer-perms'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        viewersCanEdit: true  // Vulnerable: Viewers can edit dashboards
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+```
+
+## Example of secure code
+
+```bicep
+resource secureGrafana 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'grafana-proper-viewer-perms'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        viewersCanEdit: false  // Secure: Viewers cannot edit dashboards
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+
+// Alternative: omit the viewersCanEdit property to use default (false)
+resource secureGrafanaAlt 'Microsoft.Dashboard/grafana@2024-11-01-preview' = {
+  name: 'grafana-default-viewer-perms'
+  location: 'eastus'
+  properties: {
+    grafanaConfigurations: {
+      users: {
+        // viewersCanEdit property omitted (defaults to false)
+      }
+    }
+  }
+  sku: {
+    name: 'Standard'
+  }
+}
+```
+
+## References
+
+* [Grafana user permissions documentation](https://grafana.com/docs/grafana/latest/administration/user-management/user-roles/)
+* [Azure Managed Grafana documentation](https://learn.microsoft.com/en-us/azure/managed-grafana/)
+* [CWE-272: Least Privilege Violation](https://cwe.mitre.org/data/definitions/272.html)
+* [Principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege)

ql/src/security/CWE-272/GrafanaExcessiveViewerPermissions.ql

@@ -0,0 +1,31 @@
+/**
+ * @name Excessive permissions for Grafana viewers
+ * @description Granting edit permissions to viewers reduces the effectiveness of access control
+ *              and can lead to unauthorized changes to dashboards.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 4.0
+ * @precision high
+ * @id bicep/grafana-excessive-viewer-permissions
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-272
+ */
+
+import bicep
+import codeql.bicep.frameworks.Microsoft.Dashboards
+
+from Dashboards::GrafanaResource grafana, 
+     Dashboards::GrafanaProperties::Properties props,
+     Dashboards::GrafanaProperties::GrafanaConfigurations configs,
+     Dashboards::GrafanaProperties::Users users
+where 
+  props = grafana.getProperties() and
+  configs = props.getGrafanaConfigurations() and
+  users = configs.getUsers() and
+  users.hasViewersCanEdit() and
+  users.viewersCanEdit() = true
+select users, 
+       "Excessive permissions granted to Grafana viewers (viewersCanEdit=true). " +
+       "This allows viewers to make temporary edits to dashboards they have access to."