Affected by GO-2022-0342 and 33 other vulnerabilities

GO-2022-0342: Grafana XSS in Dashboard Text Panel in github.com/grafana/grafana

GO-2022-0707: Grafana Authentication Bypass in github.com/grafana/grafana

GO-2024-2483: Grafana XSS via adding a link in General feature in github.com/grafana/grafana

GO-2024-2510: Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana

GO-2024-2513: Grafana information disclosure in github.com/grafana/grafana

GO-2024-2515: Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana

GO-2024-2516: Grafana XSS via a column style in github.com/grafana/grafana

GO-2024-2517: Grafana XSS in header column rename in github.com/grafana/grafana

GO-2024-2519: Grafana world readable configuration files in github.com/grafana/grafana

GO-2024-2520: Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana

GO-2024-2523: Grafana stored XSS in github.com/grafana/grafana

GO-2024-2629: Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana

GO-2024-2661: Arbitrary file read in github.com/grafana/grafana

GO-2024-2697: Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana

GO-2024-2843: Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana

GO-2024-2844: Grafana User enumeration via forget password in github.com/grafana/grafana

GO-2024-2847: Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana

GO-2024-2848: Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana

GO-2024-2851: Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana

GO-2024-2852: Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana

GO-2024-2854: Grafana folders admin only permission privilege escalation in github.com/grafana/grafana

GO-2024-2855: Grafana Plugin signature bypass in github.com/grafana/grafana

GO-2024-2856: Grafana Race condition allowing privilege escalation in github.com/grafana/grafana

GO-2024-2857: Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana

GO-2024-2867: Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana

GO-2024-3079: Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana

GO-2024-3215: Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana

GO-2024-3240: Grafana org admin can delete pending invites in different org in github.com/grafana/grafana

GO-2025-3438: Grafana Alerting VictorOps integration could be exposed to users with Viewer permission in github.com/grafana/grafana

GO-2025-3704: Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana

GO-2025-3740: Grafana vulnerable to authenticated users bypassing dashboard, folder permissions in github.com/grafana/grafana

GO-2025-3742: Grafana's datasource proxy API allows authorization checks to be bypassed in github.com/grafana/grafana

GO-2025-3814: Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana

GO-2025-3817: Grafana is vulnerable to XSS attacks through open redirects and path traversal in github.com/grafana/grafana

auth

package

v0.0.0-test.2 Latest Latest Go to latest Published: Jul 20, 2023 License: AGPL-3.0 Imports: 9 Imported by: 88

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/grafana/grafana

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type CreateTokenErr
- func (e *CreateTokenErr) Error() string
type JWTVerifierService
type RevokeAuthTokenCmd
type RotateCommand
type TokenExpiredError
- func (e *TokenExpiredError) Error() string
- func (e *TokenExpiredError) Unwrap() error
type TokenRevokedError
type UserToken
type UserTokenBackgroundService
type UserTokenService

Constants ¶

View Source

const (
	QuotaTargetSrv quota.TargetSrv = "auth"
	QuotaTarget    quota.Target    = "session"
)

Variables ¶

View Source

var (
	ErrUserTokenNotFound   = errors.New("user token not found")
	ErrInvalidSessionToken = usertoken.ErrInvalidSessionToken
)

Typed errors

Functions ¶

This section is empty.

Types ¶

type CreateTokenErr ¶

type CreateTokenErr struct {
	StatusCode  int
	InternalErr error
	ExternalErr string
}

CreateTokenErr represents a token creation error; used in Enterprise

func (*CreateTokenErr) Error ¶

func (e *CreateTokenErr) Error() string

type JWTVerifierService ¶

type JWTVerifierService = jwt.JWTService

type RevokeAuthTokenCmd ¶

type RevokeAuthTokenCmd struct {
	AuthTokenId int64 `json:"authTokenId"`
}

type RotateCommand ¶

type RotateCommand struct {
	// token is the un-hashed token
	UnHashedToken string
	IP            net.IP
	UserAgent     string
}

type TokenExpiredError ¶

type TokenExpiredError struct {
	UserID  int64
	TokenID int64
}

func (*TokenExpiredError) Error ¶

func (e *TokenExpiredError) Error() string

func (*TokenExpiredError) Unwrap ¶

func (e *TokenExpiredError) Unwrap() error

type TokenRevokedError ¶

type TokenRevokedError = usertoken.TokenRevokedError

type UserToken ¶

type UserToken = usertoken.UserToken

type UserTokenBackgroundService ¶

type UserTokenBackgroundService interface {
	registry.BackgroundService
}

type UserTokenService ¶

type UserTokenService interface {
	CreateToken(ctx context.Context, user *user.User, clientIP net.IP, userAgent string) (*UserToken, error)
	LookupToken(ctx context.Context, unhashedToken string) (*UserToken, error)
	// RotateToken will always rotate a valid token
	RotateToken(ctx context.Context, cmd RotateCommand) (*UserToken, error)
	TryRotateToken(ctx context.Context, token *UserToken, clientIP net.IP, userAgent string) (bool, *UserToken, error)
	RevokeToken(ctx context.Context, token *UserToken, soft bool) error
	RevokeAllUserTokens(ctx context.Context, userId int64) error
	GetUserToken(ctx context.Context, userId, userTokenId int64) (*UserToken, error)
	GetUserTokens(ctx context.Context, userId int64) ([]*UserToken, error)
	GetUserRevokedTokens(ctx context.Context, userId int64) ([]*UserToken, error)
}

UserTokenService are used for generating and validating user tokens

Source Files ¶

View all Source files

auth.go

Directories ¶

Path	Synopsis
authimpl
authtest
jwt

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL