Enhance URL safety checks by sanitizing URLs (#444)

* Enhance URL safety checks * Release 1.3.21 - Enhance URL safety checks by sanitizing URLs
grafana · Jan 9, 2025 · 844c5bc · 844c5bc
1 parent 9052133
commit 844c5bc
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## v1.3.21 - 2025-01-09
+
+- ⚙️ **Fix**: Enhance URL safety checks by sanitizing urls first.
+
 ## v1.3.20 - 2024-11-28
 
 - 🛡️ **Security**: Update `jsonpath-plus` to version 10.2.0

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "grafana-json-datasource",
-  "version": "1.3.20",
+  "version": "1.3.21",
   "description": "A data source plugin for loading JSON APIs into Grafana",
   "keywords": [
     "grafana",

diff --git a/src/api.ts b/src/api.ts
@@ -160,7 +160,7 @@ export default class Api {
 
 function isSafeURL(origUrl: string) {
   // browsers interpret backslash as slash
-  const url = origUrl.replace(/\\/g, '/');
+  const url = decodeURIComponent(origUrl.replace(/\\/g, '/'));
   if (url.endsWith('/..')) {
     return false;
   }
@@ -173,5 +173,9 @@ function isSafeURL(origUrl: string) {
     return false;
   }
 
+  if (url.includes('\t')) {
+    return false;
+  }
+
   return true;
 }
diff --git a/src/datasource.test.ts b/src/datasource.test.ts
@@ -53,6 +53,8 @@ describe('datasource', () => {
       '\\..\\../',
       '/../..?',
       '\\../..?',
+      '..%2F..%2f..%2F..%2F..%2F..%2Fapi/', // Make sure that encoded paths are also not allowed
+      '.%09.%2f.%09.%2f.%09.%2f.%09.%2fapi/', // Make sure that tabs are also not allowed
     ];
 
     for (let path of badPaths) {