Security: Fix do not forward login cookie in outgoing requests

marefr · dsotirakis · commit c658816f5229 · 2022-09-29T09:46:44.000+03:00
(cherry picked from commit 54a32fc83b233f5910495b5fcca0b4f881221538)
diff --git a/pkg/api/metrics_test.go b/pkg/api/metrics_test.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/sqlstore/mockstore"
+	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/web/webtest"
 
 	"golang.org/x/oauth2"
@@ -498,7 +499,7 @@ func TestAPIEndpoint_Metrics_ParseDashboardQueryParams(t *testing.T) {
 // `/ds/query` endpoint test
 func TestAPIEndpoint_Metrics_QueryMetricsV2(t *testing.T) {
 	qds := query.ProvideService(
-		nil,
+		setting.NewCfg(),
 		nil,
 		nil,
 		&fakePluginRequestValidator{},
diff --git a/pkg/api/pluginproxy/ds_proxy.go b/pkg/api/pluginproxy/ds_proxy.go
@@ -214,7 +214,7 @@ func (proxy *DataSourceProxy) director(req *http.Request) {
 		}
 	}
 
-	proxyutil.ClearCookieHeader(req, keepCookieNames)
+	proxyutil.ClearCookieHeader(req, keepCookieNames, []string{proxy.cfg.LoginCookieName})
 	req.Header.Set("User-Agent", fmt.Sprintf("Grafana/%s", setting.BuildVersion))
 
 	jsonData := make(map[string]interface{})
diff --git a/pkg/api/plugins.go b/pkg/api/plugins.go
@@ -555,7 +555,7 @@ func (hs *HTTPServer) makePluginResourceRequest(w http.ResponseWriter, req *http
 		}
 	}
 
-	proxyutil.ClearCookieHeader(req, keepCookieModel.KeepCookies)
+	proxyutil.ClearCookieHeader(req, keepCookieModel.KeepCookies, []string{hs.Cfg.LoginCookieName})
 	proxyutil.PrepareProxyRequest(req)
 
 	body, err := ioutil.ReadAll(req.Body)
diff --git a/pkg/services/query/query_test.go b/pkg/services/query/query_test.go
@@ -5,9 +5,9 @@ import (
 	"net/http"
 	"testing"
 
+	"github.com/grafana/grafana-plugin-sdk-go/backend"
 	"golang.org/x/oauth2"
 
-	"github.com/grafana/grafana-plugin-sdk-go/backend"
 	"github.com/grafana/grafana/pkg/api/dtos"
 	"github.com/grafana/grafana/pkg/components/simplejson"
 	"github.com/grafana/grafana/pkg/models"
diff --git a/pkg/util/proxyutil/proxyutil.go b/pkg/util/proxyutil/proxyutil.go
@@ -3,6 +3,7 @@ package proxyutil
 import (
 	"net"
 	"net/http"
+	"sort"
 )
 
 // PrepareProxyRequest prepares a request for being proxied.
@@ -26,19 +27,31 @@ func PrepareProxyRequest(req *http.Request) {
 	}
 }
 
-// ClearCookieHeader clear cookie header, except for cookies specified to be kept.
-func ClearCookieHeader(req *http.Request, keepCookiesNames []string) {
-	var keepCookies []*http.Cookie
+// ClearCookieHeader clear cookie header, except for cookies specified to be kept (keepCookiesNames) if not in skipCookiesNames.
+func ClearCookieHeader(req *http.Request, keepCookiesNames []string, skipCookiesNames []string) {
+	keepCookies := map[string]*http.Cookie{}
 	for _, c := range req.Cookies() {
 		for _, v := range keepCookiesNames {
 			if c.Name == v {
-				keepCookies = append(keepCookies, c)
+				keepCookies[c.Name] = c
 			}
 		}
 	}
 
+	for _, v := range skipCookiesNames {
+		delete(keepCookies, v)
+	}
+
 	req.Header.Del("Cookie")
-	for _, c := range keepCookies {
+
+	sortedCookies := []string{}
+	for name := range keepCookies {
+		sortedCookies = append(sortedCookies, name)
+	}
+	sort.Strings(sortedCookies)
+
+	for _, name := range sortedCookies {
+		c := keepCookies[name]
 		req.AddCookie(c)
 	}
 }
diff --git a/pkg/util/proxyutil/proxyutil_test.go b/pkg/util/proxyutil/proxyutil_test.go
@@ -49,7 +49,7 @@ func TestClearCookieHeader(t *testing.T) {
 		require.NoError(t, err)
 		req.AddCookie(&http.Cookie{Name: "cookie"})
 
-		ClearCookieHeader(req, nil)
+		ClearCookieHeader(req, nil, nil)
 		require.NotContains(t, req.Header, "Cookie")
 	})
 
@@ -60,8 +60,20 @@ func TestClearCookieHeader(t *testing.T) {
 		req.AddCookie(&http.Cookie{Name: "cookie2"})
 		req.AddCookie(&http.Cookie{Name: "cookie3"})
 
-		ClearCookieHeader(req, []string{"cookie1", "cookie3"})
+		ClearCookieHeader(req, []string{"cookie1", "cookie3"}, nil)
 		require.Contains(t, req.Header, "Cookie")
 		require.Equal(t, "cookie1=; cookie3=", req.Header.Get("Cookie"))
 	})
+
+	t.Run("Clear cookie header with cookies to keep and skip should clear Cookie header and keep cookies", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, "/", nil)
+		require.NoError(t, err)
+		req.AddCookie(&http.Cookie{Name: "cookie1"})
+		req.AddCookie(&http.Cookie{Name: "cookie2"})
+		req.AddCookie(&http.Cookie{Name: "cookie3"})
+
+		ClearCookieHeader(req, []string{"cookie1", "cookie3"}, []string{"cookie3"})
+		require.Contains(t, req.Header, "Cookie")
+		require.Equal(t, "cookie1=", req.Header.Get("Cookie"))
+	})
 }

Original file line number	Diff line number	Diff line change
`@@ -214,7 +214,7 @@ func (proxy DataSourceProxy) director(req http.Request) {`
`214`	`214`	`}`
`215`	`215`	`}`
`216`	`216`
`217`		`- proxyutil.ClearCookieHeader(req, keepCookieNames)`
	`217`	`+ proxyutil.ClearCookieHeader(req, keepCookieNames, []string{proxy.cfg.LoginCookieName})`
`218`	`218`	`req.Header.Set("User-Agent", fmt.Sprintf("Grafana/%s", setting.BuildVersion))`
`219`	`219`
`220`	`220`	`jsonData := make(map[string]interface{})`
Original file line number	Diff line number	Diff line change
`@@ -555,7 +555,7 @@ func (hs HTTPServer) makePluginResourceRequest(w http.ResponseWriter, req http`
`555`	`555`	`}`
`556`	`556`	`}`
`557`	`557`
`558`		`- proxyutil.ClearCookieHeader(req, keepCookieModel.KeepCookies)`
	`558`	`+ proxyutil.ClearCookieHeader(req, keepCookieModel.KeepCookies, []string{hs.Cfg.LoginCookieName})`
`559`	`559`	`proxyutil.PrepareProxyRequest(req)`
`560`	`560`
`561`	`561`	`body, err := ioutil.ReadAll(req.Body)`
Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ package proxyutil`
`3`	`3`	`import (`
`4`	`4`	`"net"`
`5`	`5`	`"net/http"`
	`6`	`+ "sort"`
`6`	`7`	`)`
`7`	`8`
`8`	`9`	`// PrepareProxyRequest prepares a request for being proxied.`
`@@ -26,19 +27,31 @@ func PrepareProxyRequest(req *http.Request) {`
`26`	`27`	`}`
`27`	`28`	`}`
`28`	`29`
`29`		`-// ClearCookieHeader clear cookie header, except for cookies specified to be kept.`
`30`		`-func ClearCookieHeader(req *http.Request, keepCookiesNames []string) {`
`31`		`- var keepCookies []*http.Cookie`
	`30`	`+// ClearCookieHeader clear cookie header, except for cookies specified to be kept (keepCookiesNames) if not in skipCookiesNames.`
	`31`	`+func ClearCookieHeader(req *http.Request, keepCookiesNames []string, skipCookiesNames []string) {`
	`32`	`+ keepCookies := map[string]*http.Cookie{}`
`32`	`33`	`for _, c := range req.Cookies() {`
`33`	`34`	`for _, v := range keepCookiesNames {`
`34`	`35`	`if c.Name == v {`
`35`		`- keepCookies = append(keepCookies, c)`
	`36`	`+ keepCookies[c.Name] = c`
`36`	`37`	`}`
`37`	`38`	`}`
`38`	`39`	`}`
`39`	`40`
	`41`	`+ for _, v := range skipCookiesNames {`
	`42`	`+ delete(keepCookies, v)`
	`43`	`+ }`
	`44`	`+`
`40`	`45`	`req.Header.Del("Cookie")`
`41`		`- for _, c := range keepCookies {`
	`46`	`+`
	`47`	`+ sortedCookies := []string{}`
	`48`	`+ for name := range keepCookies {`
	`49`	`+ sortedCookies = append(sortedCookies, name)`
	`50`	`+ }`
	`51`	`+ sort.Strings(sortedCookies)`
	`52`	`+`
	`53`	`+ for _, name := range sortedCookies {`
	`54`	`+ c := keepCookies[name]`
`42`	`55`	`req.AddCookie(c)`
`43`	`56`	`}`
`44`	`57`	`}`