File CVE-2021-43813.patch of Package grafana

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2021-43813.patch of Package grafana

commit f2dd7da9e5c662c44b4f2690c6541f49a4ec4667
Author: Will Browne <wbrowne@users.noreply.github.com>
Date:   Fri Dec 10 11:29:12 2021 +0000

Apply markdown path traversal fix (CVE-2021-43813)
    
    apply fix (#42969)
    
    Note: cherry-pick changed to work with v6.7.4
    (cherry picked from commit ea77415cfe2cefe46ffce233076a1409abaa8df7)

diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go
index 7d929e11e6..9d4ca9b54e 100644
--- a/pkg/plugins/plugins.go
+++ b/pkg/plugins/plugins.go
@@ -276,9 +276,9 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
 		return nil, PluginNotFoundError{pluginId}
 	}
 
-	path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name)))
+	path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name)))
 	if _, err := os.Stat(path); os.IsNotExist(err) {
-		path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name)))
+		path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name)))
 	}
 
 	if _, err := os.Stat(path); os.IsNotExist(err) {
@@ -291,3 +291,7 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
 	}
 	return data, nil
 }
+
+func mdFilepath(mdFilename string) string {
+	return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename)))
+}

Places

File CVE-2021-43813.patch of Package grafana

Places