upstream/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2026-06-17 12:36:11 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 92
70102 commits 782 branches 705 tags 3.3 GiB
Commit graph

17 commits

Author SHA1 Message Date
Mariell Hoversholm
fb7336fc36
patch(security): apply May 2026 patches (#124824) 
* patch(security): Access Control: Fix Editor can remove any annotation

GL-Vuln: VUL-2026-0018
GL-Public-After: 2026-05-12
GL-Partner-Rel: 2026-04-27
GL-Partner-Ack: 2026-02-17

* patch(security): fix(live): limit input body to 500k

GL-Vuln: VUL-2026-0031 https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/first-party/63
GL-Partner-Rel: 2026-04-09
GL-Public-After: 2026-05-12
GL-Partner-Ack: 2026-02-25T14:02:00Z

* patch(security): fix(plugins): limit input resource sizes

GL-Vuln: VUL-2026-0032 https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/first-party/64
GL-Partner-Rel: 2026-04-09
GL-Public-After: 2026-05-12
GL-Partner-Ack: 2026-02-25T14:02:00Z

* patch(security): patch(security): fix broken access control in snapshot delete handler

GL-Vuln: VUL-2026-0044 https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/first-party/76
GL-Partner-Rel: 2026-04-09
GL-Public-After: 2026-05-12
GL-Partner-Ack: 2026-03-31

* patch(security): patch(security): fix auth proxy IPv6 bare whitelist parsing (main)

GL-Vuln: VUL-2026-0045 https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/first-party/77
GL-Partner-Rel: 2026-04-09
GL-Public-After: 2026-05-12
GL-Partner-Ack: 2026-03-30

* patch(security): Live: Avoid concurrent map read and map write

GL-Vuln: VUL-2026-0049 https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/first-party/81
GL-Partner-Rel: 2026-04-09
GL-Public-After: 2026-05-12
GL-Partner-Ack: 2026-03-18

* patch(security): Dashboards: Fix /import permission setting

GL-Vuln: VUL-2026-0058 https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/first-party/90
GL-Partner-Rel: 2026-04-09
GL-Public-After: 2026-05-12
GL-Partner-Ack: 2026-03-24

* patch(security): MSSQL, MySQL, postgres infinite loop exploit

GL-Vuln: VUL-2026-0057 https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/first-party/89
GL-Partner-Rel: 2026-04-09
GL-Public-After: 2026-05-12
GL-Partner-Ack: 2026-03-20

* patch(security): patch(security): ServiceAccounts RBAC cache invalidation on permission change

GL-Vuln: VUL-2026-0061
GL-Public-After: 2026-05-12
GL-Partner-Rel: 2026-04-15
GL-Partner-Ack: 2026-04-06

* patch(security): SQL Expressions: Fix Security Bugs

GL-Vuln: VUL-2026-0064
GL-Public-After: 2026-05-12
GL-Partner-Rel: 2026-04-27
GL-Partner-Ack: 2026-04-11

* fix: nolint gocyclo

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
 2026-05-13 18:53:11 +02:00
Mariell Hoversholm
0e5d9e01ef
Security: Fix CVE-2026-27876, CVE-2026-27877, CVE-2026-28375, CVE-2026-27879, CVE-2026-27880 (#121514) 
* patch(security): FrontendSettings: Only include used data sources for public dashboards

GL-Vuln: VUL-2026-0023 https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/first-party/55
GL-Partner-Ack: 2026-02-25T14:02:00Z

* patch(security): patch(security): block INTO clauses in SQL expression allowlist

GL-Vuln: VUL-2026-0025 https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/first-party/57
GL-Partner-Ack: 2026-02-24T13:35:00Z

* patch(security): fix(testdata): limit scenario data points

GL-Vuln: VUL-2026-0028 https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/first-party/60
GL-Partner-Ack: 2026-02-25T14:02:00Z

* patch(security): Add a limit to the upsample size in mathexp.Resample

GL-Vuln: VUL-2026-0029 https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/first-party/61
GL-Partner-Ack: 2026-02-25T14:02:00Z

* patch(security): security(expr/sql): disable file writes in SQL expression engine

GL-Vuln: VUL-2026-0025 https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/first-party/57
GL-Partner-Ack: 2026-02-24T13:35:00Z

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Matheus Macabu <macabu.matheus@gmail.com>
 2026-03-31 14:02:49 +02:00
net0pyr
e249d9d3a7
SQL Expressions: Add "NOT" keyword to allow list (#116802) 
fix(expressions): allow NOT expressions in SQL transformations

Add *sqlparser.NotExpr to the allowlist in allowedNode() function,
enabling queries like `WHERE NOT column` and `WHERE NOT (value > 5)`.

Fixes #116616
 2026-02-04 09:50:37 -05:00
Kyle Brandt
92a6faeff2
SQL Expressions: Add Functions to Allow list (#113291) 
Add assorted math, windowing, json, date/time, regex, string, conditional, and aggregation functions to allow list
 2025-10-31 10:45:56 -04:00
Kyle Brandt
4f0cb47d3c
SQL Expressions: Rework backend errors and error instrumentation (#109633) 
* Capture error_type label on metrics/traces
* Make error messages more helpful to user
* Use errutil, categorized errors, and tie them to error_type (category in code)
* Misc trace fixes
* Add metric to track SQL input conversion
 2025-08-25 11:13:42 -04:00
Sam Jewell
f8a72214cf
SQL Expressions: Add more functions to the allowlist (#103546) 
* SQL Expressions: Allow many more functions and nodes

* Also allow the `REGEXP_SUBSTR` function

* Add window functions

* add more JSON support, remove now and current time (for now)

---------

Co-authored-by: Kyle Brandt <kyle@grafana.com>
 2025-04-07 21:23:39 +03:00
Kyle Brandt
856dcfd6fe
SQL Expressions: Permit range conditions (between) in queries (#103238) 2025-04-02 15:13:17 +03:00
Sam Jewell
af08a9fae2
SQL Expressions: Add JSON support (#103157) 
- Support bi-directional mapping of frame JSON fields and GMS (go-mysql-server) columns 
- Permit GMS json functions

Co-authored-by: Kyle Brandt <kyle@grafana.com>
 2025-04-01 07:45:01 -04:00
Kyle Brandt
e6480a050c
SQL Expressions: Allow substring_index func (#103021) 2025-03-27 16:49:21 -04:00
Sam Jewell
c9e929e2e6
SQL Expressions: Allow more MySQL AST node-types (#102973) 
* SQL Expressions: Add Null-literal node

* Retain some order in the code - put NullVal with BoolVal

* Add support for `IN` keyword

* Add GROUP_CONCAT keyword

* Add COLLATE keyword

From Claude:

The test case demonstrates a simple use of COLLATE with a string
literal, but in real MySQL queries, COLLATE is often used in more
complex scenarios like:

1. String comparisons:
   `SELECT * FROM table WHERE name COLLATE utf8mb4_bin = 'John'`
2. Sorting:
   `SELECT * FROM table ORDER BY name COLLATE utf8mb4_unicode_ci`
3. JOINs:
   `SELECT * FROM table1 JOIN table2 ON table1.name COLLATE utf8mb4_bin = table2.name`

The COLLATE clause is particularly useful when you need case-sensitive
comparisons (utf8mb4_bin) or specific language-aware sorting rules.
 2025-03-27 11:32:48 +00:00
Sam Jewell
6be7829acf
SQL Expressions: Allow IS keyword (#102841) 2025-03-26 09:05:42 +00:00
Kyle Brandt
0f6aff2057
SQL Expressions: allow ParenSelect in queries (#102807) 
sql_expressions: allow ParenSelect
 2025-03-25 16:19:52 +00:00
Sam Jewell
21b9d45ca6
SQL Expressions: Add CASE/WHEN nodes and fixes (and test) for functions just added to allowlist (#102040) 
* SQL Expressions: Add CASE/WHEN SQL nodes to allowlist

* Fixed and test for functions added in #102011

* Add remaining functions to the test-case

These are mostly aliases, so the LLM chose to omit them originally.
But adding now for completeness

* Fix ordering of allowed nodes
 2025-03-12 15:57:50 +00:00
Sam Jewell
4bd5f29e05
SQL Expressions: Allow more functions (#102011) 
I used Cursor and Claude 3.7 thinking to expand the list of functions
we allow. Specifically I needed `abs`.

TODO: Check each of these in the official MySQL docs to ensure they
are all safe:
eg. this doc: https://dev.mysql.com/doc/refman/8.4/en/flow-control-functions.html#operator_case
 2025-03-12 11:39:48 +00:00
Kyle Brandt
6dc98dbbcc
SQL Expressions: Add str_to_date function and unskip test (#100226) 2025-02-07 11:51:55 +02:00
Kyle Brandt
d196b789e2
SQL Expressions: Add more SQLNodes and funcs to allow list (#100227) 
sql_expr: Add more Nodes and funcs to allow list
 2025-02-07 09:44:17 +00:00
Kyle Brandt
d64f41afdc
SQL Expressions: Re-implement feature using go-mysql-server (#99521) 
* Under feature flag `sqlExpressions` and is experimental
* Excluded from arm32
* Will not work with the Query Service yet
* Does not have limits in place yet
* Does not working with alerting yet
* Currently requires "prepare time series" Transform for time series viz
 
---------

Co-authored-by: Sam Jewell <sam.jewell@grafana.com>
 2025-02-06 07:27:28 -05:00