New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Graph: Fix XSS vulnerability with series overrides #25401
Conversation
public/app/plugins/datasource/testdata/partials/query.editor.html
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
* Fix XSS vulnerability with Graph series overrides * Update public/app/plugins/datasource/testdata/partials/query.editor.html
|
Unfortunately the bug introduced with this XSS fix is still present. For example when Grafana is used with OpenHAB and InfluxDB, then some labels may contain quotes ("") and when someone tries to add a time series overwrite and selects a value based on the typeahead suggestions, the overwrite has the wrong name and won't work correctly. To reproduce, just add a dummy data source with a series named foo123<>" and then try to add a time series overwrite for a dashboard plotting this data. |
This fixes possible XSS vulnerability when specifying series alias (i.e. test data or elastic search).
The problem is caused by the bs-typeahead directive which evals the select options passed to it. We are using an old version of ng-strap which allows only an array of strings to be passed as available options. The alias in Elastic and TestData query editor allows providing special characters, so, for instance, specifying alias as
<img src onerror="alert(document.cookie)">creates a possible XSS attack vector.The solution I'm proposing here is:
<>&"special characters in it. But only in a situation, when someone actually selects such override as then the override will contain escaped string, which will not match any series when Graph overrides are applied. This will fix and possibly break external query editors of external data sources that allow alias confg.I'm afraid of bumping the ng-strap as we have version that is modified.