search

VolkovLabs / volkovlabs-dynamictext-panel

Business Text Panel for @grafana
https://docs.volkovlabs.io
Apache License 2.0
78 stars 14 forks source link

JS and security #170

Closed darkleaf closed 1 year ago

darkleaf commented 1 year ago

Could you please write a security guide?

What happens if one of the dashboard editors embeds some malicious code? For example, they can exploit XSS.

mikhail-vl commented 1 year ago

@darkleaf, DynamicText provides flexibility with JavaScript, and at the same time, limited security features in Grafana allow editors potentially embed any code.

It's a good idea to create a security guide for all our plugins, and we will plan to do it (https://github.com/VolkovLabs/volkovlabs.io/issues/347).

For our commercial projects, we use provisioning for dashboards, data sources, and alerts. Provisioned files are not editable and can prevent from malicious code. Same time, editors can create new dashboards.

If you have security concerns with your Editors, you may consider using preJS version (https://github.com/VolkovLabs/volkovlabs-dynamictext-panel/releases/tag/v2.1.0), which supports Markdown+Handlebars with Sanitizing.

Let me know if there is anything else.

darkleaf commented 1 year ago

For our commercial projects, we use provisioning for dashboards, data sources, and alerts. Provisioned files are not editable and can prevent from malicious code. Same time, editors can create new dashboards.

Yes, we do the same.

Will it be possible to enable JS only for provisioned dashboards?

mikhail-vl commented 1 year ago

@darkleaf I am not sure if it's possible to differentiate the dashboard. I have to look closer at the Grafana source code and available properties.

The only solution I can think of is to disable Javascript if sanitize mode is enabled, which will be a breaking change. Do you use JavaScript at all or keep it to Handlebars and Markdown only?

mikhail-vl commented 1 year ago

Even if we prevent editing JS in the panel options, allow for Admin only. Editors can still edit the JSON file directly.

darkleaf commented 1 year ago

The only solution I can think of is to disable Javascript if sanitize mode is enabled, which will be a breaking change. Do you use JavaScript at all or keep it to Handlebars and Markdown only?

I agree with you. It should not be breaking change.

Does Grafana allow access to ENV? The panel could get VOLKOVLABS_DYNAMIC_TEXT_SECRET and check the signature of the js code. If the variable is not set, it is allowed to eval any js. So there will be no breaking changes.

mikhail-vl commented 1 year ago

@darkleaf I talked with the Grafana Plugins team. They are working on a controlled Sandbox for plugins, which will be available in "a couple of months".

mikhail-vl commented 1 year ago

We closely follow the new Grafana v10 versions and will look for new Sandbox features to update when it's ready.