resolve CVE-2023-3128 grafana: Remove Email Lookup from oauth integrations
This commit is contained in:
parent
53f206ac65
commit
f70a707434
|
@ -0,0 +1,64 @@
|
|||
From bae86dbeb0ad68a205454e98e76985dc393183d4 Mon Sep 17 00:00:00 2001
|
||||
From: Ieva <ieva.vasiljeva@grafana.com>
|
||||
Date: Tue, 6 Jun 2023 17:45:31 +0100
|
||||
Subject: [PATCH] Auth: Remove Email Lookup from oauth integrations 9.2 (#898)
|
||||
|
||||
backport https://github.com/grafana/grafana-private-mirror/pull/894 to 9.3.x
|
||||
---
|
||||
pkg/api/login_oauth.go | 17 +++++++++--------
|
||||
pkg/setting/setting.go | 5 ++++-
|
||||
2 files changed, 13 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
|
||||
index 22014aee433c2..af00c56a68ccd 100644
|
||||
--- a/pkg/api/login_oauth.go
|
||||
+++ b/pkg/api/login_oauth.go
|
||||
@@ -302,16 +302,17 @@ func (hs *HTTPServer) SyncUser(
|
||||
connect social.SocialConnector,
|
||||
) (*user.User, error) {
|
||||
oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile")
|
||||
+ lookupParams := models.UserLookupParams{}
|
||||
+ if hs.Cfg.OAuthAllowInsecureEmailLookup {
|
||||
+ lookupParams.Email = &extUser.Email
|
||||
+ }
|
||||
+
|
||||
// add/update user in Grafana
|
||||
cmd := &models.UpsertUserCommand{
|
||||
- ReqContext: ctx,
|
||||
- ExternalUser: extUser,
|
||||
- SignupAllowed: connect.IsSignupAllowed(),
|
||||
- UserLookupParams: models.UserLookupParams{
|
||||
- Email: &extUser.Email,
|
||||
- UserID: nil,
|
||||
- Login: nil,
|
||||
- },
|
||||
+ ReqContext: ctx,
|
||||
+ ExternalUser: extUser,
|
||||
+ SignupAllowed: connect.IsSignupAllowed(),
|
||||
+ UserLookupParams: lookupParams,
|
||||
}
|
||||
|
||||
if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil {
|
||||
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
|
||||
index 20e8f78a2f55c..03aa5c17d8682 100644
|
||||
--- a/pkg/setting/setting.go
|
||||
+++ b/pkg/setting/setting.go
|
||||
@@ -318,7 +318,8 @@ type Cfg struct {
|
||||
AuthProxySyncTTL int
|
||||
|
||||
// OAuth
|
||||
- OAuthCookieMaxAge int
|
||||
+ OAuthCookieMaxAge int
|
||||
+ OAuthAllowInsecureEmailLookup bool
|
||||
|
||||
// JWT Auth
|
||||
JWTAuthEnabled bool
|
||||
@@ -1305,6 +1306,8 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
|
||||
return err
|
||||
}
|
||||
|
||||
+ cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false)
|
||||
+
|
||||
const defaultMaxLifetime = "30d"
|
||||
maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime)
|
||||
cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal)
|
|
@ -23,7 +23,7 @@ end}
|
|||
|
||||
Name: grafana
|
||||
Version: 9.2.10
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: Metrics dashboard and graph editor
|
||||
License: AGPLv3
|
||||
URL: https://grafana.org
|
||||
|
@ -68,6 +68,8 @@ Patch6: 0006-skip-marketplace-plugin-install-test.patch
|
|||
Patch7: 0007-fix-alert-test.patch
|
||||
Patch8: 0008-graphite-functions-xss.patch
|
||||
Patch9: 0009-redact-weak-ciphers.patch
|
||||
# https://github.com/grafana/grafana/commit/bae86dbeb0ad68a205454e98e76985dc393183d4
|
||||
Patch10: 0010-remove-email-lookup.patch
|
||||
|
||||
# Patches affecting the vendor tarball
|
||||
Patch1001: 1001-vendor-patch-removed-backend-crypto.patch
|
||||
|
@ -724,6 +726,7 @@ rm -r plugins-bundled
|
|||
%patch -P 7 -p1
|
||||
%patch -P 8 -p1
|
||||
%patch -P 9 -p1
|
||||
%patch -P 10 -p1
|
||||
|
||||
%patch -P 1001 -p1
|
||||
%if %{enable_fips_mode}
|
||||
|
@ -914,6 +917,9 @@ export GOEXPERIMENT=boringcrypto
|
|||
|
||||
|
||||
%changelog
|
||||
* Sat Jul 22 2023 Carl George <carl@redhat.com> - 9.2.10-4
|
||||
- resolve CVE-2023-3128 grafana: Remove Email Lookup from oauth integrations
|
||||
|
||||
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 9.2.10-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
|
|
Loading…
Reference in New Issue