Security Guidelines
This section addresses many general questions we received on the matter. At the bottom, find some of the plugins solely related notes in the corresponding sections.
Report any security issues to our email: info at volkovlabs.io.
JavaScript enriched
Our plugins are enriched with JavaScript, providing you with unparalleled customization options.
The ability to use JavaScript is one of the most demanded features in community plugins since it expands the Grafana possibilities even further. However, as with any mighty force, this one also has to be wielded with caution.
JavaScript code can be modified in Edit mode by any Editor and Admin users.
Grafana executes JavaScript code in a Sandbox environment, which significantly reduces security risks.
To facilitate the safe usage of our JavaScript-enriched plugins we suggest the following approaches: provisioning and access restrictions.
Provisioning
In the provisioned dashboard, an end user is not able to save any changes they make. We explained the mechanics of provisioning in great detail in the following video:
Also, you can look at the blog post that covers a similar scope.
Access restriction
Access restriction ensures that only trusted users are allotted Admin and Editor privileges. Users with a Viewer role are not able to open panels in edit mode, hence, their ability to even accidentally create a hazard is decapitated.
Specific notes to some plugins
Above we discussed the general safety suggestions. Below you find recommendations solely related to specified plugins.
Dynamic Text Panel
You can keep the default setting disable_sanitize_html = false to keep security restrictions in place. However, with that many action tags will be disabled. For instance, your panels will not display HTML elements like buttons.
The feature to process external CSS and JavaScript files is available only when sanitizing is disabled in the Grafana configuration:
disable_sanitize_html = true
Static Data Source
Static Data Source allows to set values using JavaScript Value Editor, which can be disabled in the Data Source options.
Environment Data Source
To stay out of trouble, Grafana Core chose not to support the environment variables at this time. Yet, many industrial cases require the ability to display environment variables, for instance, in cases where the goal is to manage numerous remote devices (for example, IoT networks).
To make the Environmental Data Source more secure, you can restrict the variables that are allowed to be shown in the Environment data source configuration. For the endless possibilities, the filter utilizes a regex pattern.
