Misthios/grafana-zabbix
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(backend): Add query guardrails to prevent potential issues (#2149)

Browse Source 
## Summary

Implements query guardrails in the backend to prevent execution of
expensive or malformed queries that could impact customer environments.

Part of https://github.com/grafana/oss-big-tent-squad/issues/127

## Changes

### New guardrails added:

1. **Item ID validation** (`queryItemIdData`)
   - Validates that item IDs are non-empty
   - Validates that item IDs contain only numeric values

2. **Time range validation** (`QueryData`)
   - Validates that `From` timestamp is before `To` timestamp

3. **API method allowlist** (`ZabbixAPIHandler`)
- Only allows Zabbix API methods defined in the frontend type
`zabbixMethodName`
   - Blocks any write/delete/update operations not in the allowlist

### New files:
- `pkg/datasource/guardrails.go` - Validation functions and error
definitions
- `pkg/datasource/guardrails_test.go` - Unit tests for all validation
functions

### Modified files:
- `pkg/datasource/datasource.go` - Added time range validation
- `pkg/datasource/zabbix.go` - Added item ID validation  
- `pkg/datasource/resource_handler.go` - Added API method validation

## Reasoning
- Allowed functions might be unnecessary as we've already prevent using
those in
[types.ts](https://github.com/grafana/grafana-zabbix/blob/main/src/datasource/zabbix/types.ts#L1-L23)
but it's nice to be cautious.
- itemid and time validation is just for sanity. 
- Time range validation will be necessary in the future to warn user
agains running expensive queries.
This commit is contained in:
ismail simsek
2025-12-29 18:57:17 +01:00
committed by GitHub
parent 3e626d3aa5
commit 04fca562b0
5 changed files with 456 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/datasource/resource_handler.go
View File

@@ -51,6 +51,13 @@ func (ds *ZabbixDatasource) ZabbixAPIHandler(rw http.ResponseWriter, req *http.R
return
}
// Validate API method is allowed (guardrail)
if err := ValidateAPIMethod(reqData.Method); err != nil {
ds.logger.Warn("Blocked API method", "method", reqData.Method)
writeError(rw, http.StatusForbidden, err)
return
}
ctx := req.Context()
pluginCxt := backend.PluginConfigFromContext(ctx)
dsInstance, err := ds.getDSInstance(ctx, pluginCxt)