[v7.5.x] Add CSRF checks #234 (#235)

* vendor binding library * fix content type checks * trigger drone * Fix drone lint * make linter happy * trigger drone Co-authored-by: dsotirakis <sotirakis.dim@gmail.com>
grafana · Jan 25, 2022 · 7dd69b2 · 7dd69b2
1 parent 235ea7a
commit 7dd69b2
Show file tree

Hide file tree

Showing 9 changed files with 1,059 additions and 5 deletions.
diff --git a/.drone.yml b/.drone.yml
@@ -3383,8 +3383,4 @@ depends_on:
 - enterprise-build-release-branch
 - enterprise-windows-release-branch
 
----
-kind: signature
-hmac: 0f0bf06ef65b9b151d7a9dbfdd4312c595b4986b62b3eb3a7835a1d93df22d20
-
 ...
diff --git a/Makefile b/Makefile
@@ -163,7 +163,6 @@ clean: ## Clean up intermediate build artifacts.
 drone: $(DRONE)
 	$(DRONE) starlark --format
 	$(DRONE) lint .drone.yml --trusted
-	$(DRONE) --server https://drone.grafana.net sign --save grafana/grafana
 
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
diff --git a/go.mod b/go.mod
@@ -109,3 +109,5 @@ require (
 replace github.com/apache/thrift => github.com/apache/thrift v0.14.1
 
 replace gopkg.in/macaron.v1 v1.4.0 => ./pkg/macaron
+
+replace github.com/go-macaron/binding => ./pkg/macaron/binding
diff --git a/pkg/api/http_server.go b/pkg/api/http_server.go
@@ -312,6 +312,7 @@ func (hs *HTTPServer) addMiddlewaresAndStaticRoutes() {
 	}
 
 	m.Use(middleware.Recovery(hs.Cfg))
+	m.Use(middleware.CSRF(hs.Cfg.LoginCookieName))
 
 	for _, route := range plugins.StaticRoutes {
 		pluginRoute := path.Join("/public/plugins/", route.PluginId)