File CVE-2021-39226.patch of Package grafana

From c5bda8b9dd5439456007acb14982b3220e0f7ea3 Mon Sep 17 00:00:00 2001
From: Darragh O'Reilly <doreilly@suse.com>
Date: Mon, 5 Sep 2022 15:12:30 +0100
Subject: [PATCH] Fix static path matching issue in macaron

https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269
---
 pkg/api/dashboard_snapshot.go        | 10 ++++++++++
 vendor/gopkg.in/macaron.v1/router.go | 10 ++++++----
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/pkg/api/dashboard_snapshot.go b/pkg/api/dashboard_snapshot.go
index eeda6ec3b1..798adabb68 100644
--- a/pkg/api/dashboard_snapshot.go
+++ b/pkg/api/dashboard_snapshot.go
@@ -138,6 +138,10 @@ func CreateDashboardSnapshot(c *models.ReqContext, cmd models.CreateDashboardSna
 // GET /api/snapshots/:key
 func GetDashboardSnapshot(c *models.ReqContext) {
 	key := c.Params(":key")
+	if len(key) == 0 {
+		c.JsonApiErr(404, "Snapshot not found", nil)
+		return
+	}
 	query := &models.GetDashboardSnapshotQuery{Key: key}
 
 	err := bus.Dispatch(query)
@@ -200,6 +204,9 @@ func deleteExternalDashboardSnapshot(externalUrl string) error {
 // GET /api/snapshots-delete/:deleteKey
 func DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) Response {
 	key := c.Params(":deleteKey")
+	if len(key) == 0 {
+		return Error(404, "Snapshot not found", nil)
+	}
 
 	query := &models.GetDashboardSnapshotQuery{DeleteKey: key}
 
@@ -227,6 +234,9 @@ func DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) Response {
 // DELETE /api/snapshots/:key
 func DeleteDashboardSnapshot(c *models.ReqContext) Response {
 	key := c.Params(":key")
+	if len(key) == 0 {
+		return Error(404, "Snapshot not found", nil)
+	}
 
 	query := &models.GetDashboardSnapshotQuery{Key: key}
 
diff --git a/vendor/gopkg.in/macaron.v1/router.go b/vendor/gopkg.in/macaron.v1/router.go
index df593d669a..46cb0c160f 100644
--- a/vendor/gopkg.in/macaron.v1/router.go
+++ b/vendor/gopkg.in/macaron.v1/router.go
@@ -289,10 +289,12 @@ func (r *Router) SetHandlerWrapper(f func(Handler) Handler) {
 func (r *Router) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	if t, ok := r.routers[req.Method]; ok {
 		// Fast match for static routes
-		leaf := r.getLeaf(req.Method, req.URL.Path)
-		if leaf != nil {
-			leaf.handle(rw, req, nil)
-			return
+		if !strings.ContainsAny(req.URL.Path, ":*") {
+			leaf := r.getLeaf(req.Method, req.URL.Path)
+			if leaf != nil {
+				leaf.handle(rw, req, nil)
+				return
+			}
 		}
 
 		h, p, ok := t.Match(req.URL.EscapedPath())
-- 
2.35.3

openSUSE Build Service is sponsored by