dasboard_history: security fix, added orgId filter to dashboard version lookup

pkg/api/dashboard.go

@@ -346,6 +346,9 @@ func CalculateDashboardDiff(c *middleware.Context, apiOptions dtos.CalculateDiff
 
 	result, err := dashdiffs.CalculateDiff(&options)
 	if err != nil {
+		if err == m.ErrDashboardVersionNotFound {
+			return ApiError(404, "Dashboard version not found", err)
+		}
 		return ApiError(500, "Unable to compute diff", err)
 	}
 

pkg/components/dashdiffs/compare.go

@@ -65,6 +65,7 @@ func CalculateDiff(options *Options) (*Result, error) {
 	baseVersionQuery := models.GetDashboardVersionQuery{
 		DashboardId: options.Base.DashboardId,
 		Version:     options.Base.Version,
+		OrgId:       options.OrgId,
 	}
 
 	if err := bus.Dispatch(&baseVersionQuery); err != nil {
@@ -74,6 +75,7 @@ func CalculateDiff(options *Options) (*Result, error) {
 	newVersionQuery := models.GetDashboardVersionQuery{
 		DashboardId: options.New.DashboardId,
 		Version:     options.New.Version,
+		OrgId:       options.OrgId,
 	}
 
 	if err := bus.Dispatch(&newVersionQuery); err != nil {

pkg/services/sqlstore/dashboard_version.go

@@ -10,15 +10,22 @@ func init() {
 	bus.AddHandler("sql", GetDashboardVersions)
 }
 
-// GetDashboardVersion gets the dashboard version for the given dashboard ID
-// and version number.
+// GetDashboardVersion gets the dashboard version for the given dashboard ID and version number.
 func GetDashboardVersion(query *m.GetDashboardVersionQuery) error {
-	result, err := getDashboardVersion(query.DashboardId, query.Version)
+	version := m.DashboardVersion{}
+	has, err := x.Where("dashboard_version.dashboard_id=? AND dashboard_version.version=? AND dashboard.org_id=?", query.DashboardId, query.Version, query.OrgId).
+		Join("LEFT", "dashboard", `dashboard.id = dashboard_version.dashboard_id`).
+		Get(&version)
+
 	if err != nil {
 		return err
 	}
 
-	query.Result = result
+	if !has {
+		return m.ErrDashboardVersionNotFound
+	}
+
+	query.Result = &version
 	return nil
 }
 
@@ -50,33 +57,3 @@ func GetDashboardVersions(query *m.GetDashboardVersionsQuery) error {
 	}
 	return nil
 }
-
-// getDashboardVersion is a helper function that gets the dashboard version for
-// the given dashboard ID and version ID.
-func getDashboardVersion(dashboardId int64, version int) (*m.DashboardVersion, error) {
-	dashboardVersion := m.DashboardVersion{}
-	has, err := x.Where("dashboard_id=? AND version=?", dashboardId, version).Get(&dashboardVersion)
-	if err != nil {
-		return nil, err
-	}
-	if !has {
-		return nil, m.ErrDashboardVersionNotFound
-	}
-
-	dashboardVersion.Data.Set("id", dashboardVersion.DashboardId)
-	return &dashboardVersion, nil
-}
-
-// getDashboard gets a dashboard by ID. Used for retrieving the dashboard
-// associated with dashboard versions.
-func getDashboard(dashboardId int64) (*m.Dashboard, error) {
-	dashboard := m.Dashboard{Id: dashboardId}
-	has, err := x.Get(&dashboard)
-	if err != nil {
-		return nil, err
-	}
-	if has == false {
-		return nil, m.ErrDashboardNotFound
-	}
-	return &dashboard, nil
-}

pkg/services/sqlstore/logger.go

@@ -23,67 +23,59 @@ func NewXormLogger(level glog.Lvl, grafanaLog glog.Logger) *XormLogger {
 }
 
 // Error implement core.ILogger
-func (s *XormLogger) Err(v ...interface{}) error {
+func (s *XormLogger) Error(v ...interface{}) {
 	if s.level <= glog.LvlError {
 		s.grafanaLog.Error(fmt.Sprint(v...))
 	}
-	return nil
 }
 
 // Errorf implement core.ILogger
-func (s *XormLogger) Errf(format string, v ...interface{}) error {
+func (s *XormLogger) Errorf(format string, v ...interface{}) {
 	if s.level <= glog.LvlError {
 		s.grafanaLog.Error(fmt.Sprintf(format, v...))
 	}
-	return nil
 }
 
 // Debug implement core.ILogger
-func (s *XormLogger) Debug(v ...interface{}) error {
+func (s *XormLogger) Debug(v ...interface{}) {
 	if s.level <= glog.LvlDebug {
 		s.grafanaLog.Debug(fmt.Sprint(v...))
 	}
-	return nil
 }
 
 // Debugf implement core.ILogger
-func (s *XormLogger) Debugf(format string, v ...interface{}) error {
+func (s *XormLogger) Debugf(format string, v ...interface{}) {
 	if s.level <= glog.LvlDebug {
 		s.grafanaLog.Debug(fmt.Sprintf(format, v...))
 	}
-	return nil
 }
 
 // Info implement core.ILogger
-func (s *XormLogger) Info(v ...interface{}) error {
+func (s *XormLogger) Info(v ...interface{}) {
 	if s.level <= glog.LvlInfo {
 		s.grafanaLog.Info(fmt.Sprint(v...))
 	}
-	return nil
 }
 
 // Infof implement core.ILogger
-func (s *XormLogger) Infof(format string, v ...interface{}) error {
+func (s *XormLogger) Infof(format string, v ...interface{}) {
 	if s.level <= glog.LvlInfo {
 		s.grafanaLog.Info(fmt.Sprintf(format, v...))
 	}
-	return nil
 }
 
 // Warn implement core.ILogger
-func (s *XormLogger) Warning(v ...interface{}) error {
+func (s *XormLogger) Warn(v ...interface{}) {
 	if s.level <= glog.LvlWarn {
 		s.grafanaLog.Warn(fmt.Sprint(v...))
 	}
-	return nil
 }
 
 // Warnf implement core.ILogger
-func (s *XormLogger) Warningf(format string, v ...interface{}) error {
+func (s *XormLogger) Warnf(format string, v ...interface{}) {
 	if s.level <= glog.LvlWarn {
 		s.grafanaLog.Warn(fmt.Sprintf(format, v...))
 	}
-	return nil
 }
 
 // Level implement core.ILogger
@@ -103,8 +95,7 @@ func (s *XormLogger) Level() core.LogLevel {
 }
 
 // SetLevel implement core.ILogger
-func (s *XormLogger) SetLevel(l core.LogLevel) error {
-	return nil
+func (s *XormLogger) SetLevel(l core.LogLevel) {
 }
 
 // ShowSQL implement core.ILogger