root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 137 Packages Projects Releases Wiki Activity

chore: add validation for names in loadScriptedDashboard

This commit is contained in:
Kristian Bremberg 2025-10-07 14:37:09 +02:00
parent 2c5ccd3283
commit 5319d5f185
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
public/app/features/dashboard/services/DashboardLoaderSrv.ts
View File

@ -40,7 +40,13 @@ abstract class DashboardLoaderSrvBase<T> implements DashboardLoaderSrvLike<T> {
abstract loadSnapshot(slug: string): Promise<T>; abstract loadSnapshot(slug: string): Promise<T>;
protected loadScriptedDashboard(file: string) { protected loadScriptedDashboard(file: string) {
const url = 'public/dashboards/' + file.replace(/\.(?!js)/, '/') + '?' + new Date().getTime(); const fileRegex = /^[a-zA-Z0-9-_.]*\.js$/;
if (file && !fileRegex.test(file)) {
return Promise.reject(new Error('Invalid script name'));
}
const url = `public/dashboards/${file}?${new Date().getTime()}`;
return getBackendSrv() return getBackendSrv()
.get(url, undefined, undefined, { validatePath: true }) .get(url, undefined, undefined, { validatePath: true })