From 6eef2a50738d249a2b9782611be2e49d5ec1da8d Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Mon, 6 Jun 2022 10:58:06 +0800
Subject: [PATCH] Fix CVE-2022-29170

(cherry picked from commit e6bf84053a3154a7c9a186b7644aa29f1ffc74b9)
---
 CVE-2022-29170.patch | 181 +++++++++++++++++++++++++++++++++++++++++++
 grafana.spec         |   8 +-
 2 files changed, 188 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-29170.patch

diff --git a/CVE-2022-29170.patch b/CVE-2022-29170.patch
new file mode 100644
index 0000000..5fe1629
--- /dev/null
+++ b/CVE-2022-29170.patch
@@ -0,0 +1,181 @@
+From 5f47950c883fa5592348b928d3455ca2191ae79a Mon Sep 17 00:00:00 2001
+From: Leonard Gram <leo@xlson.com>
+Date: Thu, 19 May 2022 11:55:25 +0200
+Subject: [PATCH] Security: Fixes CVE-2022-29170 (#49223)
+
+* Request interceptor: block redirects
+
+* handle location error
+
+* Update pkg/models/datasource_cache.go
+
+Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
+
+* Update pkg/models/datasource_cache.go
+
+Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
+
+* linter
+
+* Disables tests that won't work.
+
+Since this is a backport I don't think it's worth spending the time
+trying to figure out how to make them work.
+
+Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
+---
+ pkg/models/datasource_cache.go      | 40 +++++++++++++++
+ pkg/models/datasource_cache_test.go | 78 ++++++++++++++---------------
+ 2 files changed, 79 insertions(+), 39 deletions(-)
+
+diff --git a/pkg/models/datasource_cache.go b/pkg/models/datasource_cache.go
+index 5c368e14da65c..a9b7121f26113 100644
+--- a/pkg/models/datasource_cache.go
++++ b/pkg/models/datasource_cache.go
+@@ -11,6 +11,8 @@ import (
+ 	"sync"
+ 	"time"
+ 
++	"github.com/grafana/grafana/pkg/services/validations"
++
+ 	"github.com/grafana/grafana-aws-sdk/pkg/sigv4"
+ 	"github.com/grafana/grafana/pkg/infra/metrics/metricutil"
+ 	"github.com/grafana/grafana/pkg/setting"
+@@ -180,6 +182,8 @@ func (ds *DataSource) GetHttpTransport() (*dataSourceTransport, error) {
+ 		next = ds.sigV4Middleware(transport)
+ 	}
+ 
++	next = BlockRedirectRoundtripper(next)
++
+ 	dsTransport := &dataSourceTransport{
+ 		datasourceName: ds.Name,
+ 		headers:        customHeaders,
+@@ -349,3 +353,39 @@ func newConntrackDialContext(name string) func(context.Context, string, string)
+ 		}),
+ 	)
+ }
++
++var RequestValidator PluginRequestValidator = &validations.OSSPluginRequestValidator{}
++
++type RoundTripperFunc func(req *http.Request) (*http.Response, error)
++
++// RoundTrip implements the RoundTripper interface.
++func (rt RoundTripperFunc) RoundTrip(r *http.Request) (*http.Response, error) {
++	return rt(r)
++}
++func BlockRedirectRoundtripper(next http.RoundTripper) http.RoundTripper {
++	return RoundTripperFunc(func(r *http.Request) (*http.Response, error) {
++		if next == nil {
++			next = http.DefaultTransport
++		}
++
++		resp, err := next.RoundTrip(r)
++		if err != nil {
++			return nil, err
++		}
++
++		if resp.StatusCode >= 300 && resp.StatusCode < 400 {
++			redirectLocation, locationErr := resp.Location()
++			if errors.Is(locationErr, http.ErrNoLocation) {
++				return resp, nil
++			}
++			if locationErr != nil {
++				return nil, locationErr
++			}
++
++			if validationErr := RequestValidator.Validate(redirectLocation.String(), nil); validationErr != nil {
++				return nil, validationErr
++			}
++		}
++		return resp, nil
++	})
++}
+diff --git a/pkg/models/datasource_cache_test.go b/pkg/models/datasource_cache_test.go
+index e5e515671ff7f..5eddaa63b8384 100644
+--- a/pkg/models/datasource_cache_test.go
++++ b/pkg/models/datasource_cache_test.go
+@@ -220,45 +220,45 @@ func TestDataSource_GetHttpTransport(t *testing.T) {
+ 		assert.Equal(t, "Ok", bodyStr)
+ 	})
+ 
+-	t.Run("Should not include SigV4 middleware if not configured in JsonData", func(t *testing.T) {
+-		clearDSProxyCache(t)
+-
+-		origEnabled := setting.SigV4AuthEnabled
+-		setting.SigV4AuthEnabled = true
+-		t.Cleanup(func() { setting.SigV4AuthEnabled = origEnabled })
+-
+-		ds := DataSource{
+-			Name: "empty",
+-		}
+-
+-		tr, err := ds.GetHttpTransport()
+-		require.NoError(t, err)
+-
+-		_, ok := tr.next.(*http.Transport)
+-		require.True(t, ok)
+-	})
+-
+-	t.Run("Should not include SigV4 middleware if not configured in app config", func(t *testing.T) {
+-		clearDSProxyCache(t)
+-
+-		origEnabled := setting.SigV4AuthEnabled
+-		setting.SigV4AuthEnabled = false
+-		t.Cleanup(func() { setting.SigV4AuthEnabled = origEnabled })
+-
+-		json, err := simplejson.NewJson([]byte(`{ "sigV4Auth": true }`))
+-		require.NoError(t, err)
+-
+-		ds := DataSource{
+-			JsonData: json,
+-			Name:     "empty",
+-		}
+-
+-		tr, err := ds.GetHttpTransport()
+-		require.NoError(t, err)
+-
+-		_, ok := tr.next.(*http.Transport)
+-		require.True(t, ok)
+-	})
++	//t.Run("Should not include SigV4 middleware if not configured in JsonData", func(t *testing.T) {
++	//	clearDSProxyCache(t)
++	//
++	//	origEnabled := setting.SigV4AuthEnabled
++	//	setting.SigV4AuthEnabled = true
++	//	t.Cleanup(func() { setting.SigV4AuthEnabled = origEnabled })
++	//
++	//	ds := DataSource{
++	//		Name: "empty",
++	//	}
++	//
++	//	tr, err := ds.GetHttpTransport()
++	//	require.NoError(t, err)
++	//
++	//	_, ok := tr.next.(*http.Transport)
++	//	require.True(t, ok)
++	//})
++	//
++	//t.Run("Should not include SigV4 middleware if not configured in app config", func(t *testing.T) {
++	//	clearDSProxyCache(t)
++	//
++	//	origEnabled := setting.SigV4AuthEnabled
++	//	setting.SigV4AuthEnabled = false
++	//	t.Cleanup(func() { setting.SigV4AuthEnabled = origEnabled })
++	//
++	//	json, err := simplejson.NewJson([]byte(`{ "sigV4Auth": true }`))
++	//	require.NoError(t, err)
++	//
++	//	ds := DataSource{
++	//		JsonData: json,
++	//		Name:     "empty",
++	//	}
++	//
++	//	tr, err := ds.GetHttpTransport()
++	//	require.NoError(t, err)
++	//
++	//	_, ok := tr.next.(*http.Transport)
++	//	require.True(t, ok)
++	//})
+ 
+ 	t.Run("Datasource name not set", func(t *testing.T) {
+ 		clearDSProxyCache(t)
diff --git a/grafana.spec b/grafana.spec
index 6f5c085..2d34dfb 100644
--- a/grafana.spec
+++ b/grafana.spec
@@ -7,7 +7,7 @@
 
 Name:             grafana
 Version:          7.5.15
-Release:          1
+Release:          2
 Summary:          Metrics dashboard and graph editor
 License:          Apache 2.0
 URL:              https://grafana.org
@@ -43,6 +43,8 @@ Patch12:          012-support-go1.18.patch
 Patch13:          013-CVE-2021-23648.patch
 Patch14:          014-CVE-2022-21698.patch
 Patch15:          015-CVE-2022-21698.vendor.patch
+#https://github.com/grafana/grafana/pull/49223
+Patch16:          CVE-2022-29170.patch
 
 BuildRequires:    git, systemd, golang 
 
@@ -416,6 +418,7 @@ rm -r plugins-bundled
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
+%patch16 -p1
 
 
 # Set up build subdirs and links
@@ -580,6 +583,9 @@ rm -r pkg/macaron
 
 
 %changelog
+* Mon Jun 6 2022 yaoxin <yaoxin30@h-partners.com> - 7.5.15-2
+- Fix CVE-2022-29170
+
 * Fri May 6 2022 yaoxin <yaoxin30@h-partners.com> - 7.5.15-1
 - Update to 7.5.15 for fix CVE-2022-21703,CVE-2022-21713
 
-- 
Gitee