Enhance URL safety checks by sanitizing URLs (#444)

* Enhance URL safety checks

* Release 1.3.21 - Enhance URL safety checks by sanitizing URLs

Author: zoltanbedi

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## v1.3.21 - 2025-01-09
+
+- ⚙️ **Fix**: Enhance URL safety checks by sanitizing urls first.
+
 ## v1.3.20 - 2024-11-28
 
 - 🛡️ **Security**: Update `jsonpath-plus` to version 10.2.0

package.json

@@ -1,6 +1,6 @@
 {
   "name": "grafana-json-datasource",
-  "version": "1.3.20",
+  "version": "1.3.21",
   "description": "A data source plugin for loading JSON APIs into Grafana",
   "keywords": [
     "grafana",

src/api.ts

@@ -160,7 +160,7 @@ export default class Api {
 
 function isSafeURL(origUrl: string) {
   // browsers interpret backslash as slash
-  const url = origUrl.replace(/\\/g, '/');
+  const url = decodeURIComponent(origUrl.replace(/\\/g, '/'));
   if (url.endsWith('/..')) {
     return false;
   }
@@ -173,5 +173,9 @@ function isSafeURL(origUrl: string) {
     return false;
   }
 
+  if (url.includes('\t')) {
+    return false;
+  }
+
   return true;
 }

src/datasource.test.ts

@@ -53,6 +53,8 @@ describe('datasource', () => {
       '\\..\\../',
       '/../..?',
       '\\../..?',
+      '..%2F..%2f..%2F..%2F..%2F..%2Fapi/', // Make sure that encoded paths are also not allowed
+      '.%09.%2f.%09.%2f.%09.%2f.%09.%2fapi/', // Make sure that tabs are also not allowed
     ];
 
     for (let path of badPaths) {