fix: assert no path traversal in renders (#801)

Proximyst · web-flow · commit 1858c2c51347 · 2025-10-09T09:03:17.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 4.0.17 (2025-10-09)
+
+- fix: assert no path traversal in renders (CVE-2025-11539), [#801](https://github.com/grafana/grafana-image-renderer/pull/801), [Proximyst](https://github.com/Proximyst), [KristianGrafana](https://github.com/KristianGrafana)
+
 ## 4.0.16 (2025-10-06)
 
 - Docker: Update Chromium to 141.0.7390.54 (CVE-2025-10890, CVE-2025-10891, CVE-2025-10892), [#799](https://github.com/grafana/grafana-image-renderer/pull/799), [Proximyst](https://github.com/Proximyst)
diff --git a/devenv/docker/simple-build/docker-compose.yaml b/devenv/docker/simple-build/docker-compose.yaml
@@ -0,0 +1,18 @@
+services:
+  grafana:
+    image: grafana/grafana-enterprise:nightly
+    ports:
+      - 3000:3000
+    environment:
+      GF_RENDERING_SERVER_URL: http://renderer:8081/render
+      GF_RENDERING_CALLBACK_URL: http://grafana:3000/
+      GF_LOG_FILTERS: rendering:debug
+
+  renderer:
+    build:
+      context: ../../../
+      dockerfile: Dockerfile
+    ports:
+      - 8081:8081
+    environment:
+      ENABLE_METRICS: 'true'
diff --git a/plugin.json b/plugin.json
@@ -24,8 +24,8 @@
         "url": "https://github.com/grafana/grafana-image-renderer/blob/master/LICENSE"
       }
     ],
-    "version": "4.0.16",
-    "updated": "2025-10-06"
+    "version": "4.0.17",
+    "updated": "2025-10-09"
   },
   "dependencies": {
     "grafanaDependency": ">=11.3.8"
diff --git a/src/browser/browser.ts b/src/browser/browser.ts
@@ -1,5 +1,6 @@
 import os from 'os';
 import uniqueFilename from 'unique-filename';
+import * as boom from '@hapi/boom';
 import * as puppeteer from 'puppeteer';
 import chokidar from 'chokidar';
 import path from 'path';
@@ -306,6 +307,8 @@ export class Browser {
   };
 
   async takeScreenshot(page: puppeteer.Page, options: ImageRenderOptions, signal: AbortSignal): Promise<RenderResponse> {
+    assertNoPathTraversal(options.filePath);
+
     await this.performStep('prepare', options.url, signal, async () => {
       if (this.config.verboseLogging) {
         this.log.debug(
@@ -451,6 +454,8 @@ export class Browser {
   }
 
   async exportCSV(page: any, options: RenderOptions, signal: AbortSignal): Promise<RenderCSVResponse> {
+    assertNoPathTraversal(options.filePath);
+
     let downloadFilePath = '';
     let downloadPath = '';
     await this.performStep('prepare', options.url, signal, async () => {
@@ -753,3 +758,13 @@ async function waitForQueriesAndVisualizations(page: puppeteer.Page, options: Im
   // Give some more time for rendering to complete
   await new Promise((resolve) => setTimeout(resolve, 50));
 }
+
+function assertNoPathTraversal(path?: string | null) {
+  if (!path) {
+    return;
+  }
+
+  if (path.indexOf('/') !== -1 || path.indexOf('\\') !== -1 || path === '..') {
+    throw boom.badRequest('File path should not include directories');
+  }
+}
