Security: Sync security changes on main #45083

dsotirakis · 2022-02-08T15:17:31Z

What this PR does / why we need it:

Security fixes:

Security: Fixes CVE-2022-21702. For more information, see our blog
Security: Fixes CVE-2022-21703. For more information, see our blog
Security: Fixes CVE-2022-21713. For more information, see our blog

…i/teams/search * Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests Co-authored-by: Dan Cech <dcech@grafana.com>

(cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e)

(cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981)

(cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98)

(cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1)

(cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42)

(cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d)

(cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709)

(cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0)

(cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345)

marefr

LGTM

grafanabot · 2022-02-09T12:45:52Z

The backport to v8.4.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-45083-to-v8.4.x origin/v8.4.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x 605d056136b3dce5545bdbd7868acd8778eed9b1
# Push it to GitHub
git push --set-upstream origin backport-45083-to-v8.4.x
git switch main
# Remove the local backport branch
git branch -D backport-45083-to-v8.4.x

Then, create a pull request where the base branch is v8.4.x and the compare/head branch is backport-45083-to-v8.4.x.

* * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search * Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests Co-authored-by: Dan Cech <dcech@grafana.com> * remove duplicate WHERE statement * Fix for CVE-2022-21702 (cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e) * Lint and test fixes (cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981) * check content type properly (cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98) * basic csrf origin check (cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1) * compare origin to host (cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42) * simplify url parsing (cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d) * check csrf for GET requests, only compare origin (cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709) * parse content type properly (cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0) * mentioned get in the comment (cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345) * add content-type: application/json to test HTTP requests * fix pluginproxy test * Fix linter when comparing errors Co-authored-by: Kevin Minehart <kmineh0151@gmail.com> Co-authored-by: Dan Cech <dcech@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com> (cherry picked from commit 605d056)

* Security: Sync security changes on main (#45083) * * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search * Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests Co-authored-by: Dan Cech <dcech@grafana.com> * remove duplicate WHERE statement * Fix for CVE-2022-21702 (cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e) * Lint and test fixes (cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981) * check content type properly (cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98) * basic csrf origin check (cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1) * compare origin to host (cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42) * simplify url parsing (cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d) * check csrf for GET requests, only compare origin (cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709) * parse content type properly (cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0) * mentioned get in the comment (cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345) * add content-type: application/json to test HTTP requests * fix pluginproxy test * Fix linter when comparing errors Co-authored-by: Kevin Minehart <kmineh0151@gmail.com> Co-authored-by: Dan Cech <dcech@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com> (cherry picked from commit 605d056) * Apply suggestions from code review * remove uneeded test fix from patch Co-authored-by: Dimitris Sotirakis <sotirakis.dim@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: jguer <joao.guerreiro@grafana.com>

* * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search * Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests Co-authored-by: Dan Cech <dcech@grafana.com> * remove duplicate WHERE statement * Fix for CVE-2022-21702 (cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e) * Lint and test fixes (cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981) * check content type properly (cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98) * basic csrf origin check (cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1) * compare origin to host (cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42) * simplify url parsing (cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d) * check csrf for GET requests, only compare origin (cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709) * parse content type properly (cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0) * mentioned get in the comment (cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345) * add content-type: application/json to test HTTP requests * fix pluginproxy test * Fix linter when comparing errors Co-authored-by: Kevin Minehart <kmineh0151@gmail.com> Co-authored-by: Dan Cech <dcech@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com>

kminehart and others added 12 commits January 24, 2022 15:32

remove duplicate WHERE statement

190cf95

Fix for CVE-2022-21702

160a600

(cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e)

Lint and test fixes

aaff1bb

(cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981)

check content type properly

8dffad9

(cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98)

basic csrf origin check

27751ae

(cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1)

compare origin to host

1e20d40

(cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42)

simplify url parsing

14bbff6

(cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d)

check csrf for GET requests, only compare origin

f0caad2

(cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709)

parse content type properly

d33b31e

(cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0)

mentioned get in the comment

6b8cc89

(cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345)

resolve conflicts

97f6b96

dsotirakis added the backport v8.4.x Mark PR for automatic backport to v8.4.x label Feb 8, 2022

dsotirakis added this to the 8.4.0 milestone Feb 8, 2022

dsotirakis self-assigned this Feb 8, 2022

grafanabot added area/backend type/docs labels Feb 8, 2022

kminehart added 2 commits February 8, 2022 10:34

add content-type: application/json to test HTTP requests

936b152

fix pluginproxy test

8e97edb

This was referenced Feb 8, 2022

x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21703 golang/vulndb#312

Closed

x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21713 golang/vulndb#313

Closed

Fix linter when comparing errors

9c7f31f

vtorosyan marked this pull request as ready for review February 9, 2022 12:04

vtorosyan requested review from pkolyvas and a team as code owners February 9, 2022 12:04

vtorosyan requested review from kminehart and removed request for a team February 9, 2022 12:04

vtorosyan requested review from idafurjes, malcolmholmes, osg-grafana, KMiller-Grafana, wbrowne, marefr, axelavargas and ashharrison90 and removed request for a team February 9, 2022 12:04

marefr approved these changes Feb 9, 2022

View reviewed changes

vtorosyan merged commit 605d056 into main Feb 9, 2022

vtorosyan deleted the security-fixes-main branch February 9, 2022 12:44

vtorosyan mentioned this pull request Feb 9, 2022

[v8.4.x] Security: Sync security changes on main (#45083) #45140

Merged

IevaVasiljeva mentioned this pull request Feb 15, 2022

Team access changes for editors when editorsCanAdmin is enabled #45405

Merged

This was referenced Mar 1, 2022

x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21703 jba/nested-modules#203

Open

x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21713 jba/nested-modules#205

Open

marefr mentioned this pull request Mar 11, 2022

CPS: Remove the hardcoded Content-Security-Policy header from proxyutil #46427

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Sync security changes on main #45083

Security: Sync security changes on main #45083

dsotirakis commented Feb 8, 2022 •

edited

marefr left a comment

grafanabot commented Feb 9, 2022

Security: Sync security changes on main #45083

Security: Sync security changes on main #45083

Conversation

dsotirakis commented Feb 8, 2022 • edited

marefr left a comment

Choose a reason for hiding this comment

grafanabot commented Feb 9, 2022

dsotirakis commented Feb 8, 2022 •

edited