From 5319d5f18512771f020767094a438a020625feaa Mon Sep 17 00:00:00 2001
From: Kristian Bremberg <kristian.bremberg@grafana.com>
Date: Tue, 7 Oct 2025 14:37:09 +0200
Subject: [PATCH] chore: add validation for names in loadScriptedDashboard

---
 .../app/features/dashboard/services/DashboardLoaderSrv.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/public/app/features/dashboard/services/DashboardLoaderSrv.ts b/public/app/features/dashboard/services/DashboardLoaderSrv.ts
index ef3ec5fb279..bc563ed0a82 100644
--- a/public/app/features/dashboard/services/DashboardLoaderSrv.ts
+++ b/public/app/features/dashboard/services/DashboardLoaderSrv.ts
@@ -40,7 +40,13 @@ abstract class DashboardLoaderSrvBase<T> implements DashboardLoaderSrvLike<T> {
   abstract loadSnapshot(slug: string): Promise<T>;
 
   protected loadScriptedDashboard(file: string) {
-    const url = 'public/dashboards/' + file.replace(/\.(?!js)/, '/') + '?' + new Date().getTime();
+    const fileRegex = /^[a-zA-Z0-9-_.]*\.js$/;
+
+    if (file && !fileRegex.test(file)) {
+      return Promise.reject(new Error('Invalid script name'));
+    }
+
+    const url = `public/dashboards/${file}?${new Date().getTime()}`;
 
     return getBackendSrv()
       .get(url, undefined, undefined, { validatePath: true })