Overview

File CVE-2021-27358.patch of Package grafana

commit 43476dc1bb783d7b20be67c2006ef0d33f1094ce
Author: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Date:   Wed Feb 17 09:51:50 2021 +0100

    Snapshots: Disallow anonymous user to create snapshots (#31263)
    
    (cherry picked from commit 8f20b13f1c8e49b224ad807c78f759a302be20b9)

diff --git a/pkg/middleware/auth.go b/pkg/middleware/auth.go
index d61914a2eb75..c94d7a52ddc7 100644
--- a/pkg/middleware/auth.go
+++ b/pkg/middleware/auth.go
@@ -108,15 +108,17 @@ func AdminOrFeatureEnabled(enabled bool) macaron.Handler {
 	}
 }
 
+// SnapshotPublicModeOrSignedIn creates a middleware that allows access
+// if snapshot public mode is enabled or if user is signed in.
 func SnapshotPublicModeOrSignedIn() macaron.Handler {
 	return func(c *models.ReqContext) {
 		if setting.SnapshotPublicMode {
 			return
 		}
 
-		_, err := c.Invoke(ReqSignedIn)
-		if err != nil {
-			c.JsonApiErr(500, "Failed to invoke required signed in middleware", err)
+		if !c.IsSignedIn {
+			notAuthorized(c)
+			return
 		}
 	}
 }
diff --git a/pkg/middleware/auth_test.go b/pkg/middleware/auth_test.go
index 0688b458deda..5fb9450c8684 100644
--- a/pkg/middleware/auth_test.go
+++ b/pkg/middleware/auth_test.go
@@ -35,11 +35,22 @@ func TestMiddlewareAuth(t *testing.T) {
 
 		Convey("snapshot public mode or signed in", func() {
 			middlewareScenario(t, "Snapshot public mode disabled and unauthenticated request should return 401", func(sc *scenarioContext) {
-				sc.m.Get("/api/snapshot", SnapshotPublicModeOrSignedIn(), sc.defaultHandler)
+			sc.m.Get("/api/snapshot", func(c *models.ReqContext) {
+				c.IsSignedIn = false
+			}, SnapshotPublicModeOrSignedIn(sc.cfg), sc.defaultHandler)
 				sc.fakeReq("GET", "/api/snapshot").exec()
 				So(sc.resp.Code, ShouldEqual, 401)
 			})
 
+			middlewareScenario(t, "Snapshot public mode disabled and authenticated request should return 200", func(
+				t *testing.T, sc *scenarioContext) {
+				sc.m.Get("/api/snapshot", func(c *models.ReqContext) {
+					c.IsSignedIn = true
+				}, SnapshotPublicModeOrSignedIn(sc.cfg), sc.defaultHandler)
+				sc.fakeReq("GET", "/api/snapshot").exec()
+				assert.Equal(t, 200, sc.resp.Code)
+			})
+
 			middlewareScenario(t, "Snapshot public mode enabled and unauthenticated request should return 200", func(sc *scenarioContext) {
 				setting.SnapshotPublicMode = true
 				sc.m.Get("/api/snapshot", SnapshotPublicModeOrSignedIn(), sc.defaultHandler)
diff --git a/public/app/features/dashboard/components/ShareModal/ShareModal.tsx b/public/app/features/dashboard/components/ShareModal/ShareModal.tsx
index efe68781a3ff..d6687a93b40f 100644
--- a/public/app/features/dashboard/components/ShareModal/ShareModal.tsx
+++ b/public/app/features/dashboard/components/ShareModal/ShareModal.tsx
@@ -6,21 +6,7 @@ import { ShareSnapshot } from './ShareSnapshot';
 import { ShareExport } from './ShareExport';
 import { ShareEmbed } from './ShareEmbed';
 import { ShareModalTabModel } from './types';
-
-const shareCommonTabs: ShareModalTabModel[] = [
-  { label: 'Link', value: 'link', component: ShareLink },
-  { label: 'Snapshot', value: 'snapshot', component: ShareSnapshot },
-];
-
-// prettier-ignore
-const shareDashboardTabs: ShareModalTabModel[] = [
-  { label: 'Export', value: 'export', component: ShareExport },
-];
-
-// prettier-ignore
-const sharePanelTabs: ShareModalTabModel[] = [
-  { label: 'Embed', value: 'embed', component: ShareEmbed },
-];
+import { contextSrv } from 'app/core/core';
 
 const customDashboardTabs: ShareModalTabModel[] = [];
 const customPanelTabs: ShareModalTabModel[] = [];
@@ -43,13 +29,18 @@ function getInitialState(props: Props): State {
 
 function getTabs(props: Props) {
   const { panel } = props;
-  const tabs = [...shareCommonTabs];
+
+  const tabs: ShareModalTabModel[] = [{ label: 'Link', value: 'link', component: ShareLink }];
+
+  if (contextSrv.isSignedIn) {
+    tabs.push({ label: 'Snapshot', value: 'snapshot', component: ShareSnapshot });
+  }
 
   if (panel) {
-    tabs.push(...sharePanelTabs);
+    tabs.push({ label: 'Embed', value: 'embed', component: ShareEmbed });
     tabs.push(...customPanelTabs);
   } else {
-    tabs.push(...shareDashboardTabs);
+    tabs.push({ label: 'Export', value: 'export', component: ShareExport });
     tabs.push(...customDashboardTabs);
   }
openSUSE Build Service is sponsored by
Places