From 844c5bc20a4104831199f8fe5fbc3ea8aa1da4d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zolt=C3=A1n=20Bedi?= Date: Thu, 9 Jan 2025 15:54:32 +0100 Subject: [PATCH] Enhance URL safety checks by sanitizing URLs (#444) * Enhance URL safety checks * Release 1.3.21 - Enhance URL safety checks by sanitizing URLs --- CHANGELOG.md | 4 ++++ package.json | 2 +- src/api.ts | 6 +++++- src/datasource.test.ts | 2 ++ 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4eb25f9..7ca22b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## v1.3.21 - 2025-01-09 + +- ⚙️ **Fix**: Enhance URL safety checks by sanitizing urls first. + ## v1.3.20 - 2024-11-28 - 🛡️ **Security**: Update `jsonpath-plus` to version 10.2.0 diff --git a/package.json b/package.json index 6727b7d..fe802d7 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "grafana-json-datasource", - "version": "1.3.20", + "version": "1.3.21", "description": "A data source plugin for loading JSON APIs into Grafana", "keywords": [ "grafana", diff --git a/src/api.ts b/src/api.ts index eda4d34..e6e3d4f 100644 --- a/src/api.ts +++ b/src/api.ts @@ -160,7 +160,7 @@ export default class Api { function isSafeURL(origUrl: string) { // browsers interpret backslash as slash - const url = origUrl.replace(/\\/g, '/'); + const url = decodeURIComponent(origUrl.replace(/\\/g, '/')); if (url.endsWith('/..')) { return false; } @@ -173,5 +173,9 @@ function isSafeURL(origUrl: string) { return false; } + if (url.includes('\t')) { + return false; + } + return true; } diff --git a/src/datasource.test.ts b/src/datasource.test.ts index ff8716b..014030e 100644 --- a/src/datasource.test.ts +++ b/src/datasource.test.ts @@ -53,6 +53,8 @@ describe('datasource', () => { '\\..\\../', '/../..?', '\\../..?', + '..%2F..%2f..%2F..%2F..%2F..%2Fapi/', // Make sure that encoded paths are also not allowed + '.%09.%2f.%09.%2f.%09.%2f.%09.%2fapi/', // Make sure that tabs are also not allowed ]; for (let path of badPaths) {