- ⚙️ Fix: Enhance URL safety checks by sanitizing urls first.
- 🛡️ Security: Update
jsonpath-plusto version 10.2.0 - 🛡️ Security: Update
cross-spawnto version 7.0.5
- 🛡️ Security: Update
jsonpath-plusto version 10.1.0 - 🛡️ Security: Update
uplotto version 1.6.31
- 🛡️ Security: Update
jsonpath-plusto version 10.0.6 - 🛡️ Security: Bump
dompurifyfrom 3.1.0 to 3.1.6 - 🛡️ Security: Bump
path-to-regexpfrom 1.8.0 to 1.9.0
- 🛡️ Security: Bump
micromatchfrom 4.0.5 to 4.0.8 - 🛡️ Security: Bump
webpackfrom 5.86.0 to 5.94.0 - 🛡️ Security: Bump
fast-loopsfrom 1.1.3 to 1.1.4 - 🛡️ Security: Bump
wsfrom 8.14.2 to 8.17.1 - 🛡️ Security: Bump
bracesfrom 3.0.2 to 3.0.3
- ⚙️ Fix: Consider
\(backslash) characters in allowed url checks.
- ⚙️ Chore: Updated documentation
- ⚙️ Chore: Update dependencies
- ⚙️ Chore: Update dependencies
- ⚙️ Chore: Maintenance
- 🛡️ Security: Add more robust URL handling, do not allow '/../' in the URL, only allow GET and POST methods ( CVE-2023-5123 )
- ⚙️ Docs: Documentation website moved from github pages to grafana.com/docs/plugins page
- ⚙️ Chore: Update configuration page to follow best practices
- ⚙️ Chore: Remove legacy form styles
- ⚙️ Chore: Update readme and documentation
- ⚙️ Chore: Added lint github workflow
- ⚙️ Chore: Update dependencies
- ⚙️ Chore: Migrate to create-plugin
- ⚙️ Chore: Add feature tracking
- ⚙️ Chore: Docs update
- 🛡️ Security: Recently, A third party researcher (Alessio Della Libera of Snyk Research Team) discovered and privately disclosed to us a stored XSS vulnerability in the Grafana-maintained
marcusolsson-json-datasourceplugin also known as “JSON API plugin” .
Users with the editor role could perform a stored XSS attack against other viewers, editors, and administrators by including a specially crafted javascript statement in the field extractor in queries to the marcusolsson-json-datasource plugin. This resulted in XSS against anyone viewing a panel configured to query the datasource with a malicious query.
This vulnerability worked because the marcusolsson-json-datasource plugin uses the jsonpath-plus library to evaluate editor-supplied jsonpath expressions. In its default configuration (which we used), this library is an XSS vector, as the JSONPath spec allows for embedded subexpressions, which jsonpath-plus implements as arbitrary javascript expressions.
In order to mitigate this vulnerability, we now supply a configuration parameter to jsonpath-plus which forbids the evaluation of subexpressions; it is important to note that this change may break existing JSONPath queries that rely on filter or eval expressions.
If your dashboards currently rely on JSONPath queries containing subexpressions, there are a few potential migration paths:
- For simple queries that use subexpressions for indexing/slicing, it may be possible to rewrite the query without a subexpressions for instance
[(@.length-1)]can also be represented as[:-1]. - For more complex queries, we suggest switching to the
jsonatalanguage, which the plugin also supports. This language has similar features to JSONPath, including support for filter expressions (called “predicates” in the documentation). - If changing your existing queries isn’t feasible, the community plugin “Infinity” supports JSONPath expressions, including filters and subexpressions if used with the
backendparser option. Please note that Infinity is community supported plugin.
- ⚙️ Chore: docs update
- ⚙️ Chore: dependencies update
- ⚙️ Chore: spellcheck added
- Fixed the broken docs and links
- Append suffix to param key to uniquify duplicate param keys #232 (thanks @rejohnst!)
- Added grafana global variables when doing a query using jsonata #223 (thanks @amng!)
- Certain strings incorrectly identified as dates #202
- Add support for JSONata (#114), a query language similar to JSONPath with support for transformations.
- Cannot read property 'filter' of undefined (#156)
- Update dependencies, docs, and metadata
- Adding
$**isoFrom() and $ **isoTo() macros (#115) (thanks @jirkafajfr!) - Using JSON.stringify instead of toString for object types in parseValue (#111) (thanks @Totalus!)
- 🐛 Fix: Fix for macros not running in variable queries (#100) (thanks @KensingtonTech!)
- Improve editor styling
- 🐛 Fix: Fix issue where wrong fields were used when grouping
- Add variable support for aliases
This release introduces an Experimental tab to the query editor. This will be used to let users try out features while they're being developed. Each feature has a link the the GitHub issue where you can share you feedback, before the feature is considered stable.
- Extend variables support to options
- Don't detect time fields from Unix epoch (#82)
- Add params to cache key (#85)
- Add support for field aliases
- Add Experimental section to query editor to test features under development
- Experimental: Group query results by field (#36)
- Experimental: Set display name for metric fields (#36)
- Experimental: Set optional label for variables (#79)
- Ignore hidden queries (#83)
- New queries don't use default values
- Add annotation support
- Can't connect to API when URL contains encoded slash (#59)
No noteworthy features or bug fixes in this release. Mostly metadata updates.
- Undefined cache duration isn't handled
- Query editor tries to update read only property
- Add auto-completion to JSON Path queries
- Variable queries fail with error (#48)
- Cannot read property 'toString' of null (#46)
BREAKING CHANGE: Query parameters set by the query editor no longer overrides the data source config, to match how headers are handled in the Grafana proxy. This establishes the convention that any configuration made by an administrator should have higher priority.
IMPORTANT: This release contains many new changes that touches several aspects of the plugin. Make sure that you back up your dashboards before updating your plugin.
This release introduces a new query editor that gives more control of the request.
- Support for both GET and POST methods
- Support for request bodies (when using POST)
- Support for headers
It introduces a new key value editor for query parameters and headers, as well as a Monaco-based editor for editing the request body with syntax highlighting.
This release deprecates the queryString property in the query model, in favor of the new params. The query string config should be backwards-compatible (and forward-compatible) with previous versions, but make sure to back up your dashboard before upgrading.
- Use the refId as the series name
- Add type configuration for queries (#37)
- Grafana Explore gets stuck when adding a second query (#31)
- Multiple data source queries overwrite each other
- Falsy values are returned as NaN (#25)
- Add support for custom paths (#24)
- Add epoch time macros (#22)
- Migrate to new form components. This bumps the minimum required Grafana version to 7.3.0
- Fixes an issue where custom query parameters defined in the data source are flipped.
- Updated
@grafanadependencies from^7.0.0to^7.3.0 - Improved release process using the new GitHub workflows for Grafana plugins