lint (#42970 )

Merge pull request #186 from grafana/83-path-traverse-csv-md
Fix Path traverse for CSV + MD files
2026-01-09 05:27:45 +08:00 · 2021-12-10 11:34:59 +00:00 · 2021-12-10 12:14:58 +01:00 · 2021-12-10 10:56:38 +01:00 · 2021-12-10 10:56:25 +01:00 · 2021-12-07 18:18:35 +00:00
6 changed files with 146 additions and 101 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -11,7 +11,7 @@ services: []
 steps:
 - commands:
  - mkdir -p bin
-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
@@ -112,7 +112,7 @@ services: []
 steps:
 - commands:
  - mkdir -p bin
-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
@@ -337,7 +337,7 @@ services:
 steps:
 - commands:
  - mkdir -p bin
-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
@@ -417,7 +417,7 @@ services:
 steps:
 - commands:
  - mkdir -p bin
-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
@@ -822,7 +822,7 @@ steps:
  name: identify-runner
 - commands:
  - $$ProgressPreference = "SilentlyContinue"
-  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/windows/grabpl.exe
+  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/windows/grabpl.exe
    -OutFile grabpl.exe
  image: grafana/ci-wix:0.1.1
  name: initialize
@@ -843,6 +843,8 @@ steps:
  environment:
    GCP_KEY:
      from_secret: gcp_key
+    GITHUB_TOKEN:
+      from_secret: github_token
    PRERELEASE_BUCKET:
      from_secret: prerelease_bucket
  image: grafana/ci-wix:0.1.1
@@ -873,7 +875,7 @@ services: []
 steps:
 - commands:
  - mkdir -p bin
-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
@@ -969,7 +971,7 @@ services:
 steps:
 - commands:
  - mkdir -p bin
-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
@@ -1316,6 +1318,9 @@ steps:
 trigger:
  ref:
  - refs/tags/v*
+  repo:
+    exclude:
+    - grafana/grafana
 type: docker
 volumes:
 - name: cypress_cache
@@ -1340,7 +1345,7 @@ steps:
  name: identify-runner
 - commands:
  - $$ProgressPreference = "SilentlyContinue"
-  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/windows/grabpl.exe
+  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/windows/grabpl.exe
    -OutFile grabpl.exe
  image: grafana/ci-wix:0.1.1
  name: initialize
@@ -1361,6 +1366,8 @@ steps:
  environment:
    GCP_KEY:
      from_secret: gcp_key
+    GITHUB_TOKEN:
+      from_secret: github_token
    PRERELEASE_BUCKET:
      from_secret: prerelease_bucket
  image: grafana/ci-wix:0.1.1
@@ -1368,6 +1375,9 @@ steps:
 trigger:
  ref:
  - refs/tags/v*
+  repo:
+    exclude:
+    - grafana/grafana
 type: docker
 volumes:
 - name: cypress_cache
@@ -1411,7 +1421,7 @@ services:
 steps:
 - commands:
  - mkdir -p bin
-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
@@ -1432,7 +1442,8 @@ steps:
  - mv bin/grabpl /tmp/
  - rmdir bin
  - mv grafana-enterprise /tmp/
-  - /tmp/grabpl init-enterprise /tmp/grafana-enterprise ${DRONE_TAG}
+  - /tmp/grabpl init-enterprise --github-token $${GITHUB_TOKEN} /tmp/grafana-enterprise
+    ${DRONE_TAG}
  - mv /tmp/grafana-enterprise/deployment_tools_config.json deployment_tools_config.json
  - mkdir bin
  - mv /tmp/grabpl bin/
@@ -1442,6 +1453,9 @@ steps:
  - yarn install --immutable
  depends_on:
  - clone-enterprise
+  environment:
+    GITHUB_TOKEN:
+      from_secret: github_token
  image: grafana/build-container:1.4.8
  name: initialize
 - commands:
@@ -1891,6 +1905,9 @@ steps:
 trigger:
  ref:
  - refs/tags/v*
+  repo:
+    exclude:
+    - grafana/grafana
 type: docker
 volumes:
 - name: cypress_cache
@@ -1919,7 +1936,7 @@ steps:
  name: identify-runner
 - commands:
  - $$ProgressPreference = "SilentlyContinue"
-  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/windows/grabpl.exe
+  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/windows/grabpl.exe
    -OutFile grabpl.exe
  - git clone "https://$$env:GITHUB_TOKEN@github.com/grafana/grafana-enterprise.git"
  - cd grafana-enterprise
@@ -1934,10 +1951,13 @@ steps:
  - rm -r -force grafana-enterprise
  - cp grabpl.exe C:\App\grabpl.exe
  - rm -force grabpl.exe
-  - C:\App\grabpl.exe init-enterprise C:\App\grafana-enterprise
+  - C:\App\grabpl.exe init-enterprise --github-token $$env:GITHUB_TOKEN C:\App\grafana-enterprise
  - cp C:\App\grabpl.exe grabpl.exe
  depends_on:
  - clone
+  environment:
+    GITHUB_TOKEN:
+      from_secret: github_token
  image: grafana/ci-wix:0.1.1
  name: initialize
 - commands:
@@ -1957,6 +1977,8 @@ steps:
  environment:
    GCP_KEY:
      from_secret: gcp_key
+    GITHUB_TOKEN:
+      from_secret: github_token
    PRERELEASE_BUCKET:
      from_secret: prerelease_bucket
  image: grafana/ci-wix:0.1.1
@@ -1964,6 +1986,9 @@ steps:
 trigger:
  ref:
  - refs/tags/v*
+  repo:
+    exclude:
+    - grafana/grafana
 type: docker
 volumes:
 - name: cypress_cache
@@ -1972,34 +1997,6 @@ volumes:
    path: /var/run/docker.sock
  name: docker
 ---
-depends_on:
- oss-build-release
- oss-windows-release
- enterprise-build-release
- enterprise-windows-release
-kind: pipeline
-name: notify-release
-platform:
-  arch: amd64
-  os: linux
-steps:
- image: plugins/slack
-  name: slack
-  settings:
-    channel: grafana-ci-notifications
-    template: |-
-      Build {{build.number}} failed for commit: <https://github.com/{{repo.owner}}/{{repo.name}}/commit/{{build.commit}}|{{ truncate build.commit 8 }}>: {{build.link}}
-      Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}>
-      Author: {{build.author}}
-    webhook:
-      from_secret: slack_webhook
-trigger:
-  ref:
-  - refs/tags/v*
-  status:
-  - failure
-type: docker
---
 depends_on: []
 kind: pipeline
 name: oss-build-test-release
@@ -2025,7 +2022,7 @@ services:
 steps:
 - commands:
  - mkdir -p bin
-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
@@ -2376,7 +2373,7 @@ steps:
  name: identify-runner
 - commands:
  - $$ProgressPreference = "SilentlyContinue"
-  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/windows/grabpl.exe
+  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/windows/grabpl.exe
    -OutFile grabpl.exe
  image: grafana/ci-wix:0.1.1
  name: initialize
@@ -2398,6 +2395,8 @@ steps:
  environment:
    GCP_KEY:
      from_secret: gcp_key
+    GITHUB_TOKEN:
+      from_secret: github_token
    PRERELEASE_BUCKET:
      from_secret: prerelease_bucket
  image: grafana/ci-wix:0.1.1
@@ -2448,7 +2447,7 @@ services:
 steps:
 - commands:
  - mkdir -p bin
-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
@@ -2469,7 +2468,7 @@ steps:
  - mv bin/grabpl /tmp/
  - rmdir bin
  - mv grafana-enterprise /tmp/
-  - /tmp/grabpl init-enterprise /tmp/grafana-enterprise
+  - /tmp/grabpl init-enterprise --github-token $${GITHUB_TOKEN} /tmp/grafana-enterprise
  - mv /tmp/grafana-enterprise/deployment_tools_config.json deployment_tools_config.json
  - mkdir bin
  - mv /tmp/grabpl bin/
@@ -2479,6 +2478,9 @@ steps:
  - yarn install --immutable
  depends_on:
  - clone-enterprise
+  environment:
+    GITHUB_TOKEN:
+      from_secret: github_token
  image: grafana/build-container:1.4.8
  name: initialize
 - commands:
@@ -2956,7 +2958,7 @@ steps:
  name: identify-runner
 - commands:
  - $$ProgressPreference = "SilentlyContinue"
-  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/windows/grabpl.exe
+  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/windows/grabpl.exe
    -OutFile grabpl.exe
  - git clone "https://$$env:GITHUB_TOKEN@github.com/grafana/grafana-enterprise.git"
  - cd grafana-enterprise
@@ -2971,10 +2973,13 @@ steps:
  - rm -r -force grafana-enterprise
  - cp grabpl.exe C:\App\grabpl.exe
  - rm -force grabpl.exe
-  - C:\App\grabpl.exe init-enterprise C:\App\grafana-enterprise
+  - C:\App\grabpl.exe init-enterprise --github-token $$env:GITHUB_TOKEN C:\App\grafana-enterprise
  - cp C:\App\grabpl.exe grabpl.exe
  depends_on:
  - clone
+  environment:
+    GITHUB_TOKEN:
+      from_secret: github_token
  image: grafana/ci-wix:0.1.1
  name: initialize
 - commands:
@@ -2995,6 +3000,8 @@ steps:
  environment:
    GCP_KEY:
      from_secret: gcp_key
+    GITHUB_TOKEN:
+      from_secret: github_token
    PRERELEASE_BUCKET:
      from_secret: prerelease_bucket
  image: grafana/ci-wix:0.1.1
@@ -3026,7 +3033,7 @@ services: []
 steps:
 - commands:
  - mkdir -p bin
-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
@@ -3146,7 +3153,7 @@ services:
 steps:
 - commands:
  - mkdir -p bin
-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
@@ -3479,7 +3486,7 @@ steps:
  name: identify-runner
 - commands:
  - $$ProgressPreference = "SilentlyContinue"
-  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/windows/grabpl.exe
+  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/windows/grabpl.exe
    -OutFile grabpl.exe
  image: grafana/ci-wix:0.1.1
  name: initialize
@@ -3496,6 +3503,8 @@ steps:
  environment:
    GCP_KEY:
      from_secret: gcp_key
+    GITHUB_TOKEN:
+      from_secret: github_token
    PRERELEASE_BUCKET:
      from_secret: prerelease_bucket
  image: grafana/ci-wix:0.1.1
@@ -3546,7 +3555,7 @@ services:
 steps:
 - commands:
  - mkdir -p bin
-  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/grabpl
+  - curl -fL -o bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/grabpl
  - chmod +x bin/grabpl
  image: byrnedo/alpine-curl:0.1.8
  name: grabpl
@@ -3567,7 +3576,7 @@ steps:
  - mv bin/grabpl /tmp/
  - rmdir bin
  - mv grafana-enterprise /tmp/
-  - /tmp/grabpl init-enterprise /tmp/grafana-enterprise
+  - /tmp/grabpl init-enterprise --github-token $${GITHUB_TOKEN} /tmp/grafana-enterprise
  - mv /tmp/grafana-enterprise/deployment_tools_config.json deployment_tools_config.json
  - mkdir bin
  - mv /tmp/grabpl bin/
@@ -3576,6 +3585,9 @@ steps:
  - yarn install --immutable
  depends_on:
  - clone-enterprise
+  environment:
+    GITHUB_TOKEN:
+      from_secret: github_token
  image: grafana/build-container:1.4.8
  name: initialize
 - commands:
@@ -4058,7 +4070,7 @@ steps:
  name: identify-runner
 - commands:
  - $$ProgressPreference = "SilentlyContinue"
-  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4/windows/grabpl.exe
+  - Invoke-WebRequest https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v2.7.4-private1/windows/grabpl.exe
    -OutFile grabpl.exe
  - git clone "https://$$env:GITHUB_TOKEN@github.com/grafana/grafana-enterprise.git"
  - cd grafana-enterprise
@@ -4073,10 +4085,13 @@ steps:
  - rm -r -force grafana-enterprise
  - cp grabpl.exe C:\App\grabpl.exe
  - rm -force grabpl.exe
-  - C:\App\grabpl.exe init-enterprise C:\App\grafana-enterprise
+  - C:\App\grabpl.exe init-enterprise --github-token $$env:GITHUB_TOKEN C:\App\grafana-enterprise
  - cp C:\App\grabpl.exe grabpl.exe
  depends_on:
  - clone
+  environment:
+    GITHUB_TOKEN:
+      from_secret: github_token
  image: grafana/ci-wix:0.1.1
  name: initialize
 - commands:
@@ -4092,6 +4107,8 @@ steps:
  environment:
    GCP_KEY:
      from_secret: gcp_key
+    GITHUB_TOKEN:
+      from_secret: github_token
    PRERELEASE_BUCKET:
      from_secret: prerelease_bucket
  image: grafana/ci-wix:0.1.1
@@ -4107,34 +4124,6 @@ volumes:
    path: /var/run/docker.sock
  name: docker
 ---
-depends_on:
- oss-build-release-branch
- oss-windows-release-branch
- enterprise-build-release-branch
- enterprise-windows-release-branch
-kind: pipeline
-name: notify-release-branch
-platform:
-  arch: amd64
-  os: linux
-steps:
- image: plugins/slack
-  name: slack
-  settings:
-    channel: grafana-ci-notifications
-    template: |-
-      Build {{build.number}} failed for commit: <https://github.com/{{repo.owner}}/{{repo.name}}/commit/{{build.commit}}|{{ truncate build.commit 8 }}>: {{build.link}}
-      Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}>
-      Author: {{build.author}}
-    webhook:
-      from_secret: slack_webhook
-trigger:
-  ref:
-  - refs/heads/v[0-9]*
-  status:
-  - failure
-type: docker
---
 kind: pipeline
 name: scan-docker-images
 platform:
@@ -4195,6 +4184,6 @@ kind: secret
 name: prerelease_bucket
 ---
 kind: signature
-hmac: 98194804bc23be84848e25afddb618133c951e497795a0f5f5ff9b524b468d3a
+hmac: 1f99ba5e72cb86a739c7f0b09055b3c058f4408dba1c2c97704624fa61133c2a

 ...
--- a/pkg/api/plugins.go
+++ b/pkg/api/plugins.go
@@ -281,14 +281,27 @@ func (hs *HTTPServer) getPluginAssets(c *models.ReqContext) {
 		return
 	}

-	requestedFile := filepath.Clean(web.Params(c.Req)["*"])
-	pluginFilePath := filepath.Join(plugin.PluginDir, requestedFile)
+	// prepend slash for cleaning relative paths
+	requestedFile := filepath.Clean(filepath.Join("/", web.Params(c.Req)["*"]))
+	rel, err := filepath.Rel("/", requestedFile)
+	if err != nil {
+		// slash is prepended above therefore this is not expected to fail
+		c.JsonApiErr(500, "Failed to get the relative path", err)
+		return
+	}

-	if !plugin.IncludedInSignature(requestedFile) {
+	if !plugin.IncludedInSignature(rel) {
 		hs.log.Warn("Access to requested plugin file will be forbidden in upcoming Grafana versions as the file "+
 			"is not included in the plugin signature", "file", requestedFile)
 	}

+	absPluginDir, err := filepath.Abs(plugin.PluginDir)
+	if err != nil {
+		c.JsonApiErr(500, "Failed to get plugin absolute path", nil)
+		return
+	}
+
+	pluginFilePath := filepath.Join(absPluginDir, rel)
 	// It's safe to ignore gosec warning G304 since we already clean the requested file path and subsequently
 	// use this with a prefix of the plugin's directory, which is set during plugin loading
 	// nolint:gosec
@@ -465,15 +478,15 @@ func (hs *HTTPServer) pluginMarkdown(ctx context.Context, pluginId string, name
 	}

 	// nolint:gosec
-	// We can ignore the gosec G304 warning on this one because `plugin.PluginDir` is based
-	// on plugin the folder structure on disk and not user input.
-	path := filepath.Join(plugin.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name)))
+	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
+	// use this with a prefix of the plugin's directory, which is set during plugin loading
+	path := filepath.Join(plugin.PluginDir, mdFilepath(strings.ToUpper(name)))
 	exists, err := fs.Exists(path)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
-		path = filepath.Join(plugin.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name)))
+		path = filepath.Join(plugin.PluginDir, mdFilepath(strings.ToLower(name)))
 	}

 	exists, err = fs.Exists(path)
@@ -485,11 +498,15 @@ func (hs *HTTPServer) pluginMarkdown(ctx context.Context, pluginId string, name
 	}

 	// nolint:gosec
-	// We can ignore the gosec G304 warning on this one because `plugin.PluginDir` is based
-	// on plugin the folder structure on disk and not user input.
+	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
+	// use this with a prefix of the plugin's directory, which is set during plugin loading
 	data, err := ioutil.ReadFile(path)
 	if err != nil {
 		return nil, err
 	}
 	return data, nil
 }
+
+func mdFilepath(mdFilename string) string {
+	return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename)))
+}
--- a/pkg/api/plugins_test.go
+++ b/pkg/api/plugins_test.go
@@ -23,9 +23,13 @@ func Test_GetPluginAssets(t *testing.T) {
 	pluginDir := "."
 	tmpFile, err := ioutil.TempFile(pluginDir, "")
 	require.NoError(t, err)
+	tmpFileInParentDir, err := ioutil.TempFile("..", "")
+	require.NoError(t, err)
 	t.Cleanup(func() {
 		err := os.RemoveAll(tmpFile.Name())
 		assert.NoError(t, err)
+		err = os.RemoveAll(tmpFileInParentDir.Name())
+		assert.NoError(t, err)
 	})
 	expectedBody := "Plugin test"
 	_, err = tmpFile.WriteString(expectedBody)
@@ -61,6 +65,29 @@ func Test_GetPluginAssets(t *testing.T) {
 			})
 	})

+	t.Run("Given a request for a relative path", func(t *testing.T) {
+		p := plugins.PluginDTO{
+			JSONData: plugins.JSONData{
+				ID: pluginID,
+			},
+			PluginDir: pluginDir,
+		}
+		service := &fakePluginStore{
+			plugins: map[string]plugins.PluginDTO{
+				pluginID: p,
+			},
+		}
+		l := &logger{}
+
+		url := fmt.Sprintf("/public/plugins/%s/%s", pluginID, tmpFileInParentDir.Name())
+		pluginAssetScenario(t, "When calling GET on", url, "/public/plugins/:pluginId/*", service, l,
+			func(sc *scenarioContext) {
+				callGetPluginAsset(sc)
+
+				require.Equal(t, 404, sc.resp.Code)
+			})
+	})
+
 	t.Run("Given a request for an existing plugin file that is not listed as a signature covered file", func(t *testing.T) {
 		p := plugins.PluginDTO{
 			JSONData: plugins.JSONData{
--- a/pkg/tsdb/testdatasource/csv_data.go
+++ b/pkg/tsdb/testdatasource/csv_data.go
@@ -73,13 +73,14 @@ func (s *Service) handleCsvFileScenario(ctx context.Context, req *backend.QueryD
 }

 func (s *Service) loadCsvFile(fileName string) (*data.Frame, error) {
-	validFileName := regexp.MustCompile(`([\w_]+)\.csv`)
+	validFileName := regexp.MustCompile(`^\w+\.csv$`)

 	if !validFileName.MatchString(fileName) {
 		return nil, fmt.Errorf("invalid csv file name: %q", fileName)
 	}

-	filePath := filepath.Join(s.cfg.StaticRootPath, "testdata", fileName)
+	csvFilepath := filepath.Clean(filepath.Join("/", fileName))
+	filePath := filepath.Join(s.cfg.StaticRootPath, "testdata", csvFilepath)

 	// Can ignore gosec G304 here, because we check the file pattern above
 	// nolint:gosec
--- a/scripts/drone/pipelines/release.star
+++ b/scripts/drone/pipelines/release.star
@@ -246,6 +246,9 @@ def release_pipelines(ver_mode='release', trigger=None):
    if not trigger:
        trigger = {
            'ref': ['refs/tags/v*',],
+            'repo': {
+              'exclude': ['grafana/grafana'],
+            },
        }

    should_publish = ver_mode in ('release', 'test-release',)
@@ -268,10 +271,10 @@ def release_pipelines(ver_mode='release', trigger=None):
            depends_on=[p['name'] for p in oss_pipelines + enterprise_pipelines],
        )

-    pipelines.append(notify_pipeline(
-        name='notify-{}'.format(ver_mode), slack_channel='grafana-ci-notifications', trigger=trigger,
-        depends_on=[p['name'] for p in pipelines],
-    ))
+    #pipelines.append(notify_pipeline(
+    #    name='notify-{}'.format(ver_mode), slack_channel='grafana-ci-notifications', trigger=trigger,
+    #    depends_on=[p['name'] for p in pipelines],
+    #))

    return pipelines

--- a/scripts/drone/steps/lib.star
+++ b/scripts/drone/steps/lib.star
@@ -1,6 +1,6 @@
 load('scripts/drone/vault.star', 'from_secret', 'github_token', 'pull_secret', 'drone_token', 'prerelease_bucket')

-grabpl_version = '2.7.4'
+grabpl_version = '2.7.4-private1'
 build_image = 'grafana/build-container:1.4.8'
 publish_image = 'grafana/grafana-ci-deploy:1.3.1'
 grafana_docker_image = 'grafana/drone-grafana-docker:0.3.2'
@@ -84,11 +84,14 @@ def initialize_step(edition, platform, ver_mode, is_downstream=False, install_de
                'depends_on': [
                    'clone-enterprise',
                ],
+                'environment': {
+                  'GITHUB_TOKEN': from_secret(github_token),
+                },
                'commands': [
                                'mv bin/grabpl /tmp/',
                                'rmdir bin',
                                'mv grafana-enterprise /tmp/',
-                                '/tmp/grabpl init-enterprise /tmp/grafana-enterprise{}'.format(source_commit),
+                                '/tmp/grabpl init-enterprise --github-token $${{GITHUB_TOKEN}} /tmp/grafana-enterprise{}'.format(source_commit),
                                'mv /tmp/grafana-enterprise/deployment_tools_config.json deployment_tools_config.json',
                                'mkdir bin',
                                'mv /tmp/grabpl bin/'
@@ -1050,7 +1053,8 @@ def get_windows_steps(edition, ver_mode, is_downstream=False):
            'image': wix_image,
            'environment': {
                'GCP_KEY': from_secret('gcp_key'),
-                'PRERELEASE_BUCKET': from_secret(prerelease_bucket)
+                'PRERELEASE_BUCKET': from_secret(prerelease_bucket),
+                'GITHUB_TOKEN': from_secret('github_token')
            },
            'commands': installer_commands,
            'depends_on': [
@@ -1098,9 +1102,13 @@ def get_windows_steps(edition, ver_mode, is_downstream=False):
            'rm -r -force grafana-enterprise',
            'cp grabpl.exe C:\\App\\grabpl.exe',
            'rm -force grabpl.exe',
-            'C:\\App\\grabpl.exe init-enterprise C:\\App\\grafana-enterprise{}'.format(source_commit),
+            'C:\\App\\grabpl.exe init-enterprise --github-token $$env:GITHUB_TOKEN C:\\App\\grafana-enterprise{}'.format(source_commit),
            'cp C:\\App\\grabpl.exe grabpl.exe',
        ])
+        if 'environment' in steps[1]:
+            steps[1]['environment'] + {'GITHUB_TOKEN': from_secret(github_token)}
+        else:
+            steps[1]['environment'] = {'GITHUB_TOKEN': from_secret(github_token)}

    return steps
Author	SHA1	Message	Date
malcolmholmes	afb9e8e5f3	lint (#42970 )	2021-12-10 11:34:59 +00:00
Timur Olzhabayev	e0842b265f	Merge pull request #186 from grafana/83-path-traverse-csv-md Fix Path traverse for CSV + MD files	2021-12-10 12:14:58 +01:00
Will Browne	1d7105c095	fix regex (cherry picked from commit a259213a3badc9618e969f2c8db0a0143f00faee)	2021-12-10 10:56:38 +01:00
Will Browne	06706efbbe	fixes (cherry picked from commit a2c386915ce11b9422f4af8ae181eaa1a22bc5c3)	2021-12-10 10:56:25 +01:00
Malcolm Holmes	7183b01df1	Fix windows enterprise	2021-12-07 18:18:35 +00:00
Malcolm Holmes	8d38082755	Alternative syntax for github token	2021-12-07 14:49:00 +00:00
Malcolm Holmes	b9eacd93e9	Adjust windows enterprise init	2021-12-07 12:29:38 +00:00
Malcolm Holmes	f5b24ed416	Relocate github arg	2021-12-07 09:50:47 +00:00
Malcolm Holmes	fefc3181fd	provide github token	2021-12-07 08:34:01 +00:00
Malcolm Holmes	35625cea67	Include .drone.yml	2021-12-07 08:09:25 +00:00
Malcolm Holmes	6077aaecbc	Update build tool	2021-12-06 19:41:11 +00:00
Malcolm Holmes	a38ec114cb	lint	2021-12-06 18:19:01 +00:00
Malcolm Holmes	d8ce54553f	Temporarily disable slack notification	2021-12-06 17:27:18 +00:00
malcolmholmes	7f483f8195	Build: Correct syntax for directing release builds (#42789 )	2021-12-06 16:27:01 +00:00
malcolmholmes	364762401f	Build: don't run release builds on grafana/grafana repo (#42785 )	2021-12-06 16:26:28 +00:00
Sofia Papagiannaki	b98c51cbe5	Improve comments and error message.	2021-12-06 09:21:15 +02:00
Kyle Brandt	00e38ba555	security: fix dir traversal issue	2021-12-03 12:50:28 -05:00