rpms / grafana

Clone
Source Code
GIT

Blame SOURCES/016-fix-CVE-2022-31107.patch

c8 c8-beta c8s c9 c9-beta
  1.   c8-beta
  2.   SOURCES
  3.   016-fix-CVE-2022-31107.patch
Blob History Raw
ad1bcd 
From 41a9a27cf0767828f38a390bbe7cf43f613b882e Mon Sep 17 00:00:00 2001
ad1bcd 
From: Andreas Gerstmayr <agerstmayr@redhat.com>
ad1bcd 
Date: Fri, 15 Jul 2022 14:05:14 +0200
ad1bcd 
Subject: [PATCH] fix CVE-2022-31107
ad1bcd
ad1bcd 
backport 967e17d7ef6bc62a108add33ea699710f0e15870 from v8.4.10
ad1bcd
ad1bcd 
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
ad1bcd 
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
ad1bcd
ad1bcd 
diff --git a/pkg/api/ldap_debug.go b/pkg/api/ldap_debug.go
ad1bcd 
index 126e760b67..c9e2b606c5 100644
ad1bcd 
--- a/pkg/api/ldap_debug.go
ad1bcd 
+++ b/pkg/api/ldap_debug.go
ad1bcd 
@@ -215,6 +215,11 @@ func (hs *HTTPServer) PostSyncUserWithLDAP(c *models.ReqContext) response.Respon
ad1bcd 
 		ReqContext:    c,
ad1bcd 
 		ExternalUser:  user,
ad1bcd 
 		SignupAllowed: hs.Cfg.LDAPAllowSignup,
ad1bcd 
+		UserLookupParams: models.UserLookupParams{
ad1bcd 
+			UserID: &query.Result.Id, // Upsert by ID only
ad1bcd 
+			Email:  nil,
ad1bcd 
+			Login:  nil,
ad1bcd 
+		},
ad1bcd 
 	}
ad1bcd
ad1bcd 
 	err = bus.Dispatch(upsertCmd)
ad1bcd 
diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
ad1bcd 
index 1fce9b6f61..611d51444f 100644
ad1bcd 
--- a/pkg/api/login_oauth.go
ad1bcd 
+++ b/pkg/api/login_oauth.go
ad1bcd 
@@ -250,6 +250,11 @@ func syncUser(
ad1bcd 
 		ReqContext:    ctx,
ad1bcd 
 		ExternalUser:  extUser,
ad1bcd 
 		SignupAllowed: connect.IsSignupAllowed(),
ad1bcd 
+		UserLookupParams: models.UserLookupParams{
ad1bcd 
+			Email:  &extUser.Email,
ad1bcd 
+			UserID: nil,
ad1bcd 
+			Login:  nil,
ad1bcd 
+		},
ad1bcd 
 	}
ad1bcd 
 	if err := bus.Dispatch(cmd); err != nil {
ad1bcd 
 		return nil, err
ad1bcd 
diff --git a/pkg/login/ldap_login.go b/pkg/login/ldap_login.go
ad1bcd 
index cb5d984e73..82dac2ee9e 100644
ad1bcd 
--- a/pkg/login/ldap_login.go
ad1bcd 
+++ b/pkg/login/ldap_login.go
ad1bcd 
@@ -56,9 +56,13 @@ var loginUsingLDAP = func(query *models.LoginUserQuery) (bool, error) {
ad1bcd 
 		ReqContext:    query.ReqContext,
ad1bcd 
 		ExternalUser:  externalUser,
ad1bcd 
 		SignupAllowed: setting.LDAPAllowSignup,
ad1bcd 
+		UserLookupParams: models.UserLookupParams{
ad1bcd 
+			Login:  &externalUser.Login,
ad1bcd 
+			Email:  &externalUser.Email,
ad1bcd 
+			UserID: nil,
ad1bcd 
+		},
ad1bcd 
 	}
ad1bcd 
-	err = bus.Dispatch(upsert)
ad1bcd 
-	if err != nil {
ad1bcd 
+	if err = bus.Dispatch(upsert); err != nil {
ad1bcd 
 		return true, err
ad1bcd 
 	}
ad1bcd 
 	query.User = upsert.Result
ad1bcd 
diff --git a/pkg/models/user_auth.go b/pkg/models/user_auth.go
ad1bcd 
index 2061cf048b..a98efe659e 100644
ad1bcd 
--- a/pkg/models/user_auth.go
ad1bcd 
+++ b/pkg/models/user_auth.go
ad1bcd 
@@ -54,11 +54,11 @@ type RequestURIKey struct{}
ad1bcd 
 // COMMANDS
ad1bcd
ad1bcd 
 type UpsertUserCommand struct {
ad1bcd 
-	ReqContext    *ReqContext
ad1bcd 
-	ExternalUser  *ExternalUserInfo
ad1bcd 
+	ReqContext   *ReqContext
ad1bcd 
+	ExternalUser *ExternalUserInfo
ad1bcd 
+	UserLookupParams
ad1bcd 
+	Result        *User
ad1bcd 
 	SignupAllowed bool
ad1bcd 
-
ad1bcd 
-	Result *User
ad1bcd 
 }
ad1bcd
ad1bcd 
 type SetAuthInfoCommand struct {
ad1bcd 
@@ -95,13 +95,18 @@ type LoginUserQuery struct {
ad1bcd 
 type GetUserByAuthInfoQuery struct {
ad1bcd 
 	AuthModule string
ad1bcd 
 	AuthId     string
ad1bcd 
-	UserId     int64
ad1bcd 
-	Email      string
ad1bcd 
-	Login      string
ad1bcd 
+	UserLookupParams
ad1bcd
ad1bcd 
 	Result *User
ad1bcd 
 }
ad1bcd
ad1bcd 
+type UserLookupParams struct {
ad1bcd 
+	// Describes lookup order as well
ad1bcd 
+	UserID *int64  // if set, will try to find the user by id
ad1bcd 
+	Email  *string // if set, will try to find the user by email
ad1bcd 
+	Login  *string // if set, will try to find the user by login
ad1bcd 
+}
ad1bcd 
+
ad1bcd 
 type GetExternalUserInfoByLoginQuery struct {
ad1bcd 
 	LoginOrEmail string
ad1bcd
ad1bcd 
diff --git a/pkg/services/contexthandler/authproxy/authproxy.go b/pkg/services/contexthandler/authproxy/authproxy.go
ad1bcd 
index 80e5a5b9e0..0d834748a7 100644
ad1bcd 
--- a/pkg/services/contexthandler/authproxy/authproxy.go
ad1bcd 
+++ b/pkg/services/contexthandler/authproxy/authproxy.go
ad1bcd 
@@ -246,6 +246,11 @@ func (auth *AuthProxy) LoginViaLDAP() (int64, error) {
ad1bcd 
 		ReqContext:    auth.ctx,
ad1bcd 
 		SignupAllowed: auth.cfg.LDAPAllowSignup,
ad1bcd 
 		ExternalUser:  extUser,
ad1bcd 
+		UserLookupParams: models.UserLookupParams{
ad1bcd 
+			Login:  &extUser.Login,
ad1bcd 
+			Email:  &extUser.Email,
ad1bcd 
+			UserID: nil,
ad1bcd 
+		},
ad1bcd 
 	}
ad1bcd 
 	if err := bus.Dispatch(upsert); err != nil {
ad1bcd 
 		return 0, err
ad1bcd 
@@ -288,6 +293,11 @@ func (auth *AuthProxy) LoginViaHeader() (int64, error) {
ad1bcd 
 		ReqContext:    auth.ctx,
ad1bcd 
 		SignupAllowed: auth.cfg.AuthProxyAutoSignUp,
ad1bcd 
 		ExternalUser:  extUser,
ad1bcd 
+		UserLookupParams: models.UserLookupParams{
ad1bcd 
+			UserID: nil,
ad1bcd 
+			Login:  &extUser.Login,
ad1bcd 
+			Email:  &extUser.Email,
ad1bcd 
+		},
ad1bcd 
 	}
ad1bcd
ad1bcd 
 	err := bus.Dispatch(upsert)
ad1bcd 
diff --git a/pkg/services/login/login.go b/pkg/services/login/login.go
ad1bcd 
index 9e08a36b06..b74d1d3e8f 100644
ad1bcd 
--- a/pkg/services/login/login.go
ad1bcd 
+++ b/pkg/services/login/login.go
ad1bcd 
@@ -37,11 +37,9 @@ func (ls *LoginService) UpsertUser(cmd *models.UpsertUserCommand) error {
ad1bcd 
 	extUser := cmd.ExternalUser
ad1bcd
ad1bcd 
 	userQuery := &models.GetUserByAuthInfoQuery{
ad1bcd 
-		AuthModule: extUser.AuthModule,
ad1bcd 
-		AuthId:     extUser.AuthId,
ad1bcd 
-		UserId:     extUser.UserId,
ad1bcd 
-		Email:      extUser.Email,
ad1bcd 
-		Login:      extUser.Login,
ad1bcd 
+		AuthModule:       extUser.AuthModule,
ad1bcd 
+		AuthId:           extUser.AuthId,
ad1bcd 
+		UserLookupParams: cmd.UserLookupParams,
ad1bcd 
 	}
ad1bcd 
 	if err := bus.Dispatch(userQuery); err != nil {
ad1bcd 
 		if !errors.Is(err, models.ErrUserNotFound) {
ad1bcd 
diff --git a/pkg/services/login/login_test.go b/pkg/services/login/login_test.go
ad1bcd 
index 04953b567a..dd84ee29c8 100644
ad1bcd 
--- a/pkg/services/login/login_test.go
ad1bcd 
+++ b/pkg/services/login/login_test.go
ad1bcd 
@@ -82,10 +82,12 @@ func Test_teamSync(t *testing.T) {
ad1bcd 
 		QuotaService: &quota.QuotaService{},
ad1bcd 
 	}
ad1bcd
ad1bcd 
-	upserCmd := &models.UpsertUserCommand{ExternalUser: &models.ExternalUserInfo{Email: "test_user@example.org"}}
ad1bcd 
+	email := "test_user@example.org"
ad1bcd 
+	upserCmd := &models.UpsertUserCommand{ExternalUser: &models.ExternalUserInfo{Email: email},
ad1bcd 
+		UserLookupParams: models.UserLookupParams{Email: &email}}
ad1bcd 
 	expectedUser := &models.User{
ad1bcd 
 		Id:    1,
ad1bcd 
-		Email: "test_user@example.org",
ad1bcd 
+		Email: email,
ad1bcd 
 		Name:  "test_user",
ad1bcd 
 		Login: "test_user",
ad1bcd 
 	}
ad1bcd 
diff --git a/pkg/services/sqlstore/user_auth.go b/pkg/services/sqlstore/user_auth.go
ad1bcd 
index 9605ccce76..f6f0e510bc 100644
ad1bcd 
--- a/pkg/services/sqlstore/user_auth.go
ad1bcd 
+++ b/pkg/services/sqlstore/user_auth.go
ad1bcd 
@@ -40,11 +40,12 @@ func GetUserByAuthInfo(query *models.GetUserByAuthInfoQuery) error {
ad1bcd 
 			}
ad1bcd
ad1bcd 
 			// if user id was specified and doesn't match the user_auth entry, remove it
ad1bcd 
-			if query.UserId != 0 && query.UserId != authQuery.Result.UserId {
ad1bcd 
-				err = DeleteAuthInfo(&models.DeleteAuthInfoCommand{
ad1bcd 
+			if query.UserLookupParams.UserID != nil &&
ad1bcd 
+				*query.UserLookupParams.UserID != 0 &&
ad1bcd 
+				*query.UserLookupParams.UserID != authQuery.Result.UserId {
ad1bcd 
+				if err := DeleteAuthInfo(&models.DeleteAuthInfoCommand{
ad1bcd 
 					UserAuth: authQuery.Result,
ad1bcd 
-				})
ad1bcd 
-				if err != nil {
ad1bcd 
+				}); err != nil {
ad1bcd 
 					sqlog.Error("Error removing user_auth entry", "error", err)
ad1bcd 
 				}
ad1bcd
ad1bcd 
@@ -70,17 +71,18 @@ func GetUserByAuthInfo(query *models.GetUserByAuthInfoQuery) error {
ad1bcd 
 		}
ad1bcd 
 	}
ad1bcd
ad1bcd 
+	params := query.UserLookupParams
ad1bcd 
 	// If not found, try to find the user by id
ad1bcd 
-	if !has && query.UserId != 0 {
ad1bcd 
-		has, err = x.Id(query.UserId).Get(user)
ad1bcd 
+	if !has && params.UserID != nil && *params.UserID != 0 {
ad1bcd 
+		has, err = x.Id(*params.UserID).Get(user)
ad1bcd 
 		if err != nil {
ad1bcd 
 			return err
ad1bcd 
 		}
ad1bcd 
 	}
ad1bcd
ad1bcd 
 	// If not found, try to find the user by email address
ad1bcd 
-	if !has && query.Email != "" {
ad1bcd 
-		user = &models.User{Email: query.Email}
ad1bcd 
+	if !has && params.Email != nil && *params.Email != "" {
ad1bcd 
+		user = &models.User{Email: *params.Email}
ad1bcd 
 		has, err = x.Get(user)
ad1bcd 
 		if err != nil {
ad1bcd 
 			return err
ad1bcd 
@@ -88,8 +90,8 @@ func GetUserByAuthInfo(query *models.GetUserByAuthInfoQuery) error {
ad1bcd 
 	}
ad1bcd
ad1bcd 
 	// If not found, try to find the user by login
ad1bcd 
-	if !has && query.Login != "" {
ad1bcd 
-		user = &models.User{Login: query.Login}
ad1bcd 
+	if !has && params.Login != nil && *params.Login != "" {
ad1bcd 
+		user = &models.User{Login: *params.Login}
ad1bcd 
 		has, err = x.Get(user)
ad1bcd 
 		if err != nil {
ad1bcd 
 			return err
ad1bcd 
diff --git a/pkg/services/sqlstore/user_auth_test.go b/pkg/services/sqlstore/user_auth_test.go
ad1bcd 
index e5bb2379e5..d94ce34edb 100644
ad1bcd 
--- a/pkg/services/sqlstore/user_auth_test.go
ad1bcd 
+++ b/pkg/services/sqlstore/user_auth_test.go
ad1bcd 
@@ -45,7 +45,7 @@ func TestUserAuth(t *testing.T) {
ad1bcd 
 			// By Login
ad1bcd 
 			login := "loginuser0"
ad1bcd
ad1bcd 
-			query := &models.GetUserByAuthInfoQuery{Login: login}
ad1bcd 
+			query := &models.GetUserByAuthInfoQuery{UserLookupParams: models.UserLookupParams{Login: &login}}
ad1bcd 
 			err = GetUserByAuthInfo(query)
ad1bcd
ad1bcd 
 			So(err, ShouldBeNil)
ad1bcd 
@@ -54,7 +54,7 @@ func TestUserAuth(t *testing.T) {
ad1bcd 
 			// By ID
ad1bcd 
 			id := query.Result.Id
ad1bcd
ad1bcd 
-			query = &models.GetUserByAuthInfoQuery{UserId: id}
ad1bcd 
+			query = &models.GetUserByAuthInfoQuery{UserLookupParams: models.UserLookupParams{UserID: &id}}
ad1bcd 
 			err = GetUserByAuthInfo(query)
ad1bcd
ad1bcd 
 			So(err, ShouldBeNil)
ad1bcd 
@@ -63,7 +63,7 @@ func TestUserAuth(t *testing.T) {
ad1bcd 
 			// By Email
ad1bcd 
 			email := "user1@test.com"
ad1bcd
ad1bcd 
-			query = &models.GetUserByAuthInfoQuery{Email: email}
ad1bcd 
+			query = &models.GetUserByAuthInfoQuery{UserLookupParams: models.UserLookupParams{Email: &email}}
ad1bcd 
 			err = GetUserByAuthInfo(query)
ad1bcd
ad1bcd 
 			So(err, ShouldBeNil)
ad1bcd 
@@ -72,7 +72,7 @@ func TestUserAuth(t *testing.T) {
ad1bcd 
 			// Don't find nonexistent user
ad1bcd 
 			email = "nonexistent@test.com"
ad1bcd
ad1bcd 
-			query = &models.GetUserByAuthInfoQuery{Email: email}
ad1bcd 
+			query = &models.GetUserByAuthInfoQuery{UserLookupParams: models.UserLookupParams{Email: &email}}
ad1bcd 
 			err = GetUserByAuthInfo(query)
ad1bcd
ad1bcd 
 			So(err, ShouldEqual, models.ErrUserNotFound)
ad1bcd 
@@ -90,7 +90,7 @@ func TestUserAuth(t *testing.T) {
ad1bcd 
 			// create user_auth entry
ad1bcd 
 			login := "loginuser0"
ad1bcd
ad1bcd 
-			query.Login = login
ad1bcd 
+			query.UserLookupParams.Login = &login
ad1bcd 
 			err = GetUserByAuthInfo(query)
ad1bcd
ad1bcd 
 			So(err, ShouldBeNil)
ad1bcd 
@@ -104,9 +104,9 @@ func TestUserAuth(t *testing.T) {
ad1bcd 
 			So(query.Result.Login, ShouldEqual, login)
ad1bcd
ad1bcd 
 			// get with non-matching id
ad1bcd 
-			id := query.Result.Id
ad1bcd 
+			idPlusOne := query.Result.Id + 1
ad1bcd
ad1bcd 
-			query.UserId = id + 1
ad1bcd 
+			query.UserLookupParams.UserID = &idPlusOne
ad1bcd 
 			err = GetUserByAuthInfo(query)
ad1bcd
ad1bcd 
 			So(err, ShouldBeNil)
ad1bcd 
@@ -143,7 +143,7 @@ func TestUserAuth(t *testing.T) {
ad1bcd 
 			login := "loginuser0"
ad1bcd
ad1bcd 
 			// Calling GetUserByAuthInfoQuery on an existing user will populate an entry in the user_auth table
ad1bcd 
-			query := &models.GetUserByAuthInfoQuery{Login: login, AuthModule: "test", AuthId: "test"}
ad1bcd 
+			query := &models.GetUserByAuthInfoQuery{AuthModule: "test", AuthId: "test", UserLookupParams: models.UserLookupParams{Login: &login}}
ad1bcd 
 			err = GetUserByAuthInfo(query)
ad1bcd
ad1bcd 
 			So(err, ShouldBeNil)
ad1bcd 
@@ -178,7 +178,7 @@ func TestUserAuth(t *testing.T) {
ad1bcd 
 			// Calling GetUserByAuthInfoQuery on an existing user will populate an entry in the user_auth table
ad1bcd 
 			// Make the first log-in during the past
ad1bcd 
 			getTime = func() time.Time { return time.Now().AddDate(0, 0, -2) }
ad1bcd 
-			query := &models.GetUserByAuthInfoQuery{Login: login, AuthModule: "test1", AuthId: "test1"}
ad1bcd 
+			query := &models.GetUserByAuthInfoQuery{AuthModule: "test1", AuthId: "test1", UserLookupParams: models.UserLookupParams{Login: &login}}
ad1bcd 
 			err = GetUserByAuthInfo(query)
ad1bcd 
 			getTime = time.Now
ad1bcd
ad1bcd 
@@ -188,7 +188,7 @@ func TestUserAuth(t *testing.T) {
ad1bcd 
 			// Add a second auth module for this user
ad1bcd 
 			// Have this module's last log-in be more recent
ad1bcd 
 			getTime = func() time.Time { return time.Now().AddDate(0, 0, -1) }
ad1bcd 
-			query = &models.GetUserByAuthInfoQuery{Login: login, AuthModule: "test2", AuthId: "test2"}
ad1bcd 
+			query = &models.GetUserByAuthInfoQuery{AuthModule: "test2", AuthId: "test2", UserLookupParams: models.UserLookupParams{Login: &login}}
ad1bcd 
 			err = GetUserByAuthInfo(query)
ad1bcd 
 			getTime = time.Now
ad1bcd
ad1bcd 
diff --git a/pkg/services/sqlstore/user_test.go b/pkg/services/sqlstore/user_test.go
ad1bcd 
index 7da19f0ef4..aa796ffb02 100644
ad1bcd 
--- a/pkg/services/sqlstore/user_test.go
ad1bcd 
+++ b/pkg/services/sqlstore/user_test.go
ad1bcd 
@@ -455,7 +455,7 @@ func TestUserDataAccess(t *testing.T) {
ad1bcd 
 				// Calling GetUserByAuthInfoQuery on an existing user will populate an entry in the user_auth table
ad1bcd 
 				// Make the first log-in during the past
ad1bcd 
 				getTime = func() time.Time { return time.Now().AddDate(0, 0, -2) }
ad1bcd 
-				query := &models.GetUserByAuthInfoQuery{Login: login, AuthModule: "ldap", AuthId: "ldap0"}
ad1bcd 
+				query := &models.GetUserByAuthInfoQuery{AuthModule: "ldap", AuthId: "ldap0", UserLookupParams: models.UserLookupParams{Login: &login}}
ad1bcd 
 				err := GetUserByAuthInfo(query)
ad1bcd 
 				getTime = time.Now
ad1bcd
ad1bcd 
@@ -465,7 +465,7 @@ func TestUserDataAccess(t *testing.T) {
ad1bcd 
 				// Add a second auth module for this user
ad1bcd 
 				// Have this module's last log-in be more recent
ad1bcd 
 				getTime = func() time.Time { return time.Now().AddDate(0, 0, -1) }
ad1bcd 
-				query = &models.GetUserByAuthInfoQuery{Login: login, AuthModule: "oauth", AuthId: "oauth0"}
ad1bcd 
+				query = &models.GetUserByAuthInfoQuery{AuthModule: "oauth", AuthId: "oauth0", UserLookupParams: models.UserLookupParams{Login: &login}}
ad1bcd 
 				err = GetUserByAuthInfo(query)
ad1bcd 
 				getTime = time.Now
ad1bcd
ad1bcd 
@@ -511,7 +511,7 @@ func TestUserDataAccess(t *testing.T) {
ad1bcd 
 					// Calling GetUserByAuthInfoQuery on an existing user will populate an entry in the user_auth table
ad1bcd 
 					// Make the first log-in during the past
ad1bcd 
 					getTime = func() time.Time { return time.Now().AddDate(0, 0, -2) }
ad1bcd 
-					query := &models.GetUserByAuthInfoQuery{Login: login, AuthModule: "ldap", AuthId: fmt.Sprint("ldap", i)}
ad1bcd 
+					query := &models.GetUserByAuthInfoQuery{AuthModule: "ldap", AuthId: fmt.Sprint("ldap", i), UserLookupParams: models.UserLookupParams{Login: &login}}
ad1bcd 
 					err := GetUserByAuthInfo(query)
ad1bcd 
 					getTime = time.Now
ad1bcd
ad1bcd 
@@ -522,7 +522,7 @@ func TestUserDataAccess(t *testing.T) {
ad1bcd 
 				// Log in first user with oauth
ad1bcd 
 				login := "loginuser0"
ad1bcd 
 				getTime = func() time.Time { return time.Now().AddDate(0, 0, -1) }
ad1bcd 
-				query := &models.GetUserByAuthInfoQuery{Login: login, AuthModule: "oauth", AuthId: "oauth0"}
ad1bcd 
+				query := &models.GetUserByAuthInfoQuery{AuthModule: "oauth", AuthId: "oauth0", UserLookupParams: models.UserLookupParams{Login: &login}}
ad1bcd 
 				err := GetUserByAuthInfo(query)
ad1bcd 
 				getTime = time.Now
ad1bcd

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation