fixes (#407)

* Fix: Check method to be POST or GET

* Fix: Do not allow .. in URL

* Remove unnecessary variable

* Fix test

* fix async problem in tests

* move isSafeURL to a deeper level

* lint fix

* more complex check

* preparing release 1.3.11

* Update package.json

* Update cspell.config.json

* prepare cloud release (#6)

---------

Co-authored-by: Zoltán Bedi <zoltan.bedi@gmail.com>
Co-authored-by: Sriram <153843+yesoreyeram@users.noreply.github.com>

Author: 3 people

cspell.config.json

@@ -4,6 +4,7 @@
     "./.github/",
     "./dist/",
     "coverage",
+    "package.json",
     "./src/**/*.test.ts",
     "./website/src/css",
     "./website/*.js",

src/api.ts

@@ -148,6 +148,28 @@ export default class Api {
           .join('&');
     }
 
+    // it is important to validate here, directly before the request is sent out,
+    // because, for example, template-variables could be used to adjust the final url, etc.
+    if (!isSafeURL(req.url)) {
+      throw new Error('URL path contains unsafe characters');
+    }
+
     return getBackendSrv().fetch(req);
   }
 }
+
+function isSafeURL(url: string) {
+  if (url.endsWith('/..')) {
+    return false;
+  }
+
+  if (url.includes('/../')) {
+    return false;
+  }
+
+  if (url.includes('/..?')) {
+    return false;
+  }
+
+  return true;
+}

src/datasource.test.ts

@@ -1,5 +1,21 @@
 import { dateTime, TimeRange } from '@grafana/data';
-import { replaceMacros } from './datasource';
+import { JsonDataSource, replaceMacros } from './datasource';
+
+jest.mock('@grafana/runtime', () => ({
+  ...jest.requireActual('@grafana/runtime'),
+  getTemplateSrv: () => ({
+    getVariables: () => [],
+    replace: (text?: string) => text,
+  }),
+  getBackendSrv: () => ({
+    fetch: () => ({
+      toPromise: () =>
+        Promise.resolve({
+          data: [{ id: 1 }, { id: 2 }, { id: 3 }],
+        }),
+    }),
+  }),
+}));
 
 const sampleTimestampFrom = '2021-05-17T20:48:09.000Z'; // -> 1621284489
 const sampleTimestmapTo = '2021-05-17T20:50:23.000Z'; // -> 1621284623
@@ -22,3 +38,39 @@ test('range gets converted into unix epoch notation', () => {
   expect(replaceMacros('$__unixEpochFrom()', range)).toStrictEqual('1621284489');
   expect(replaceMacros('$__unixEpochTo()', range)).toStrictEqual('1621284623');
 });
+
+describe('datasource', () => {
+  it('should not allow urls that contains ..', async () => {
+    const ds = new JsonDataSource({ url: 'http://localhost:3000', jsonData: {} } as any);
+    const badPaths = ['/..', '/..?', '/../../', '/../..?'];
+
+    for (let path of badPaths) {
+      const response = ds.doRequest({ urlPath: path, method: 'GET' } as any);
+      await expect(response).rejects.toThrowError('URL path contains unsafe characters');
+    }
+
+    const goodPaths = ['/..thing', '/one..two/', '/thing../'];
+
+    for (let path of goodPaths) {
+      const response = ds.doRequest({ urlPath: path, method: 'GET' } as any);
+      // i just need to check that there were no errors, so i check for the response-length
+      await expect(response).resolves.toHaveLength(1);
+    }
+  });
+
+  it('should throw error when method is not POST or GET', async () => {
+    const ds = new JsonDataSource({ url: 'http://localhost:3000', jsonData: {} } as any);
+
+    const responsePUT = ds.doRequest({ method: 'PUT' } as any);
+
+    await expect(responsePUT).rejects.toThrowError('Invalid method PUT');
+
+    const responsePATCH = ds.doRequest({ method: 'PATCH' } as any);
+
+    await expect(responsePATCH).rejects.toThrowError('Invalid method PATCH');
+
+    const responseDELETE = ds.doRequest({ method: 'DELETE' } as any);
+
+    await expect(responseDELETE).rejects.toThrowError('Invalid method DELETE');
+  });
+});

src/datasource.ts

@@ -237,6 +237,10 @@ export class JsonDataSource extends DataSourceApi<JsonApiQuery, JsonApiDataSourc
       return [interpolate(key), interpolate(value)];
     };
 
+    if (query.method !== 'GET' && query.method !== 'POST') {
+      throw new Error(`Invalid method ${query.method}`);
+    }
+
     return await this.api.cachedGet(
       query.cacheDurationSeconds,
       query.method,