Closed tolzhabayev closed 6 months ago
Even though we do our best to try to set the file permissions correctly when we generate them - it can happen that sometimes those file permissions get modified by users.
Validator should have a new check to ensure that the permissions are set properly also for other files than executables https://github.com/grafana/plugin-validator/blob/18ec4dc7c75b222e3641de979936159a1cc86b82/pkg/analysis/passes/binarypermissions/binarypermissions.go#L4
Example of where it failed recently was plugin manifest file called go_plugin_build_manifest which is usually generated with 755 https://github.com/grafana/grafana-plugin-sdk-go/blob/3bbfa89bed9c0882140eee5004e2657cf9ae2fce/build/common.go#L205
go_plugin_build_manifest
755
But for some reason ended up being 600 in the following plugin https://grafana.com/api/plugins/oci-metrics-datasource/versions/5.2.0/download
600
This led the verfiyHash function to fail and mark plugin as invalid signature / modified signature: https://github.com/grafana/grafana/blob/0220fd588a2ef308ede052da79d5daa91eb33015/pkg/plugins/manager/signature/manifest.go#L264 on Grafana Cloud. We did not catch this locally as we are running Grafana probably with different set of privileges and did not have this issue.
verfiyHash
Even though we do our best to try to set the file permissions correctly when we generate them - it can happen that sometimes those file permissions get modified by users.
Validator should have a new check to ensure that the permissions are set properly also for other files than executables https://github.com/grafana/plugin-validator/blob/18ec4dc7c75b222e3641de979936159a1cc86b82/pkg/analysis/passes/binarypermissions/binarypermissions.go#L4
Additional checks:
Check that the following permissions are set:
Example of where it failed recently was plugin manifest file called
go_plugin_build_manifestwhich is usually generated with755https://github.com/grafana/grafana-plugin-sdk-go/blob/3bbfa89bed9c0882140eee5004e2657cf9ae2fce/build/common.go#L205But for some reason ended up being
600in the following plugin https://grafana.com/api/plugins/oci-metrics-datasource/versions/5.2.0/downloadThis led the
verfiyHashfunction to fail and mark plugin as invalid signature / modified signature: https://github.com/grafana/grafana/blob/0220fd588a2ef308ede052da79d5daa91eb33015/pkg/plugins/manager/signature/manifest.go#L264 on Grafana Cloud. We did not catch this locally as we are running Grafana probably with different set of privileges and did not have this issue.