Patch Grafana against session cookie vulnerability and CVE-2023-1410

Merge branch 'security-grafana-session-cookie-outgoing-request-15-10' into '15-10-stable' See merge request gitlab-org/security/omnibus-gitlab!327 Changelog: security

Patch Grafana against session cookie vulnerability and CVE-2023-1410
febd1125 · Balasankar C · GitLab Release Tools Bot · a0a6dbff · febd1125 · febd1125
Commit febd1125 authored 1 year ago by Balasankar C Committed by GitLab Release Tools Bot 1 year ago
--- a/config/patches/grafana/cve-2023-1410.patch
+++ b/config/patches/grafana/cve-2023-1410.patch
+diff --git a/package.json b/package.json
+index e6a40f91a3..118bcff2fc 100644
+--- a/package.json
+++ b/package.json
+@@ -280,7 +280,6 @@
+     "redux-thunk": "2.3.0",
+     "regenerator-runtime": "0.13.3",
+     "reselect": "4.0.0",
+-    "rst2html": "github:thoward/rst2html#990cb89",
+     "rxjs": "6.6.3",
+     "search-query-parser": "1.5.4",
+     "slate": "0.47.8",
+diff --git a/public/app/plugins/datasource/graphite/FunctionEditor.tsx b/public/app/plugins/datasource/graphite/FunctionEditor.tsx
+index d178904640..888b5246da 100644
+--- a/public/app/plugins/datasource/graphite/FunctionEditor.tsx
+++ b/public/app/plugins/datasource/graphite/FunctionEditor.tsx
+@@ -10,11 +10,9 @@ interface FunctionEditorState {
+   showingDescription: boolean;
+ }
+ const FunctionDescription = React.lazy(async () => {
+-  // @ts-ignore
+-  const { default: rst2html } = await import(/* webpackChunkName: "rst2html" */ 'rst2html');
+   return {
+     default(props: { description?: string }) {
+-      return <div dangerouslySetInnerHTML={{ __html: rst2html(props.description ?? '') }} />;
+      return <div>{props.description}</div>;
+     },
+   };
+ });
+diff --git a/public/app/plugins/datasource/graphite/add_graphite_func.ts b/public/app/plugins/datasource/graphite/add_graphite_func.ts
+index 5216194ef7..ede76f6059 100644
+--- a/public/app/plugins/datasource/graphite/add_graphite_func.ts
+++ b/public/app/plugins/datasource/graphite/add_graphite_func.ts
+@@ -108,9 +108,7 @@ export function graphiteAddFunc($compile: any) {
+             }
+ 
+             const contentElement = document.createElement('div');
+-            // @ts-ignore
+-            const { default: rst2html } = await import(/* webpackChunkName: "rst2html" */ 'rst2html');
+-            contentElement.innerHTML = '<h4>' + funcDef.name + '</h4>' + rst2html(shortDesc);
+            contentElement.innerHTML = '<h4>' + funcDef.name + '</h4>' + shortDesc;
+ 
+             drop = new Drop({
+               target: this,
+diff --git a/yarn.lock b/yarn.lock
+index c17e6153be..1363fc06be 100644
+--- a/yarn.lock
+++ b/yarn.lock
+@@ -7613,11 +7613,6 @@ accepts@~1.3.4, accepts@~1.3.5, accepts@~1.3.7:
+     mime-types "~2.1.24"
+     negotiator "0.6.2"
+ 
+-acorn-es7-plugin@^1.0.12:
+-  version "1.1.7"
+-  resolved "https://registry.yarnpkg.com/acorn-es7-plugin/-/acorn-es7-plugin-1.1.7.tgz#f2ee1f3228a90eead1245f9ab1922eb2e71d336b"
+-  integrity sha1-8u4fMiipDurRJF+asZIusucdM2s=
+-
+ acorn-globals@^4.3.2:
+   version "4.3.4"
+   resolved "https://registry.yarnpkg.com/acorn-globals/-/acorn-globals-4.3.4.tgz#9fa1926addc11c97308c4e66d7add0d40c3272e7"
+@@ -7671,7 +7666,7 @@ acorn@^3.0.4:
+   resolved "https://registry.yarnpkg.com/acorn/-/acorn-3.3.0.tgz#45e37fb39e8da3f25baee3ff5369e2bb5f22017a"
+   integrity sha1-ReN/s56No/JbruP/U2niu18iAXo=
+ 
+-acorn@^5.0.0, acorn@^5.5.0:
+acorn@^5.5.0:
+   version "5.7.4"
+   resolved "https://registry.yarnpkg.com/acorn/-/acorn-5.7.4.tgz#3e8d8a9947d0599a1796d10225d7432f4a4acf5e"
+   integrity sha512-1D++VG7BhrtvQpNbBzovKNc1FLGGEE/oGe7b9xJm/RFHMBeUaUGpluV9RLjZa47YFdPcDAenEYuq9pQPcMdLJg==
+@@ -9443,11 +9438,6 @@ call-me-maybe@^1.0.1:
+   resolved "https://registry.yarnpkg.com/call-me-maybe/-/call-me-maybe-1.0.1.tgz#26d208ea89e37b5cbde60250a15f031c16a4d66b"
+   integrity sha1-JtII6onje1y95gJQoV8DHBak1ms=
+ 
+-call-signature@0.0.2:
+-  version "0.0.2"
+-  resolved "https://registry.yarnpkg.com/call-signature/-/call-signature-0.0.2.tgz#a84abc825a55ef4cb2b028bd74e205a65b9a4996"
+-  integrity sha1-qEq8glpV70yysCi9dOIFpluaSZY=
+-
+ caller-callsite@^2.0.0:
+   version "2.0.0"
+   resolved "https://registry.yarnpkg.com/caller-callsite/-/caller-callsite-2.0.0.tgz#847e0fce0a223750a9a027c54b33731ad3154134"
+@@ -9566,17 +9556,7 @@ caniuse-db@1.0.30000772:
+   resolved "https://registry.yarnpkg.com/caniuse-db/-/caniuse-db-1.0.30000772.tgz#51aae891768286eade4a3d8319ea76d6a01b512b"
+   integrity sha1-UarokXaChureSj2DGep21qAbUSs=
+ 
+-caniuse-lite@^1.0.0, caniuse-lite@^1.0.30001173:
+-  version "1.0.30001299"
+-  resolved "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001299.tgz"
+-  integrity sha512-iujN4+x7QzqA2NCSrS5VUy+4gLmRd4xv6vbBBsmfVqTx8bLAD8097euLqQgKxSVLvxjSDcvF1T/i9ocgnUFexw==
+-
+-caniuse-lite@^1.0.30000981, caniuse-lite@^1.0.30001020, caniuse-lite@^1.0.30001035, caniuse-lite@^1.0.30001093:
+-  version "1.0.30001299"
+-  resolved "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001299.tgz"
+-  integrity sha512-iujN4+x7QzqA2NCSrS5VUy+4gLmRd4xv6vbBBsmfVqTx8bLAD8097euLqQgKxSVLvxjSDcvF1T/i9ocgnUFexw==
+-
+-caniuse-lite@^1.0.30001109:
+caniuse-lite@^1.0.0, caniuse-lite@^1.0.30000981, caniuse-lite@^1.0.30001020, caniuse-lite@^1.0.30001035, caniuse-lite@^1.0.30001093, caniuse-lite@^1.0.30001109, caniuse-lite@^1.0.30001173:
+   version "1.0.30001299"
+   resolved "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001299.tgz"
+   integrity sha512-iujN4+x7QzqA2NCSrS5VUy+4gLmRd4xv6vbBBsmfVqTx8bLAD8097euLqQgKxSVLvxjSDcvF1T/i9ocgnUFexw==
+@@ -10552,7 +10532,7 @@ core-js@^1.0.0:
+   resolved "https://registry.yarnpkg.com/core-js/-/core-js-1.2.7.tgz#652294c14651db28fa93bd2d5ff2983a4f08c636"
+   integrity sha1-ZSKUwUZR2yj6k70tX/KYOk8IxjY=
+ 
+-core-js@^2.0.0, core-js@^2.4.0:
+core-js@^2.4.0:
+   version "2.6.10"
+   resolved "https://registry.yarnpkg.com/core-js/-/core-js-2.6.10.tgz#8a5b8391f8cc7013da703411ce5b585706300d7f"
+   integrity sha512-I39t74+4t+zau64EN1fE5v2W31Adtc/REhzWN+gWRRXg6WH5qAsZm62DHpQ1+Yhe4047T55jvzz7MUqF/dBBlA==
+@@ -11778,11 +11758,6 @@ dezalgo@^1.0.0:
+     asap "^2.0.0"
+     wrappy "1"
+ 
+-diff-match-patch@^1.0.0:
+-  version "1.0.4"
+-  resolved "https://registry.yarnpkg.com/diff-match-patch/-/diff-match-patch-1.0.4.tgz#6ac4b55237463761c4daf0dc603eb869124744b1"
+-  integrity sha512-Uv3SW8bmH9nAtHKaKSanOQmj2DnlH65fUpcrMdfdaOxUG02QQ4YGZ8AE7kKOMisF7UqvOlGKVYWRvezdncW9lg==
+-
+ diff-sequences@^25.2.6:
+   version "25.2.6"
+   resolved "https://registry.yarnpkg.com/diff-sequences/-/diff-sequences-25.2.6.tgz#5f467c00edd35352b7bca46d7927d60e687a76dd"
+@@ -12079,11 +12054,6 @@ duplexify@^3.4.2, duplexify@^3.6.0:
+     readable-stream "^2.0.0"
+     stream-shift "^1.0.0"
+ 
+-eastasianwidth@^0.2.0:
+-  version "0.2.0"
+-  resolved "https://registry.yarnpkg.com/eastasianwidth/-/eastasianwidth-0.2.0.tgz#696ce2ec0aa0e6ea93a397ffcf24aa7840c827cb"
+-  integrity sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==
+-
+ ecc-jsbn@~0.1.1:
+   version "0.1.2"
+   resolved "https://registry.yarnpkg.com/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz#3a83a904e54353287874c564b7549386849a98c9"
+@@ -12201,22 +12171,6 @@ emotion@10.0.27, emotion@^10.0.27:
+     babel-plugin-emotion "^10.0.27"
+     create-emotion "^10.0.27"
+ 
+-empower-core@^1.2.0:
+-  version "1.2.0"
+-  resolved "https://registry.yarnpkg.com/empower-core/-/empower-core-1.2.0.tgz#ce3fb2484d5187fa29c23fba8344b0b2fdf5601c"
+-  integrity sha512-g6+K6Geyc1o6FdXs9HwrXleCFan7d66G5xSCfSF7x1mJDCes6t0om9lFQG3zOrzh3Bkb/45N0cZ5Gqsf7YrzGQ==
+-  dependencies:
+-    call-signature "0.0.2"
+-    core-js "^2.0.0"
+-
+-empower@^1.3.1:
+-  version "1.3.1"
+-  resolved "https://registry.yarnpkg.com/empower/-/empower-1.3.1.tgz#768979cbbb36d71d8f5edaab663deacb9dab916c"
+-  integrity sha512-uB6/ViBaawOO/uujFADTK3SqdYlxYNn+N4usK9MRKZ4Hbn/1QSy8k2PezxCA2/+JGbF8vd/eOfghZ90oOSDZCA==
+-  dependencies:
+-    core-js "^2.0.0"
+-    empower-core "^1.2.0"
+-
+ encodeurl@~1.0.2:
+   version "1.0.2"
+   resolved "https://registry.yarnpkg.com/encodeurl/-/encodeurl-1.0.2.tgz#ad3ff4c86ec2d029322f5a02c3a9a606c95b3f59"
+@@ -12925,13 +12879,6 @@ esprima@~3.1.0:
+   resolved "https://registry.yarnpkg.com/esprima/-/esprima-3.1.3.tgz#fdca51cee6133895e3c88d535ce49dbff62a4633"
+   integrity sha1-/cpRzuYTOJXjyI1TXOSdv/YqRjM=
+ 
+-espurify@^1.6.0:
+-  version "1.8.1"
+-  resolved "https://registry.yarnpkg.com/espurify/-/espurify-1.8.1.tgz#5746c6c1ab42d302de10bd1d5bf7f0e8c0515056"
+-  integrity sha512-ZDko6eY/o+D/gHCWyHTU85mKDgYcS4FJj7S+YD6WIInm7GQ6AnOjmcL4+buFV/JOztVLELi/7MmuGU5NHta0Mg==
+-  dependencies:
+-    core-js "^2.0.0"
+-
+ esquery@^1.4.0:
+   version "1.4.0"
+   resolved "https://registry.yarnpkg.com/esquery/-/esquery-1.4.0.tgz#2148ffc38b82e8c7057dfed48425b3e61f0f24a5"
+@@ -15305,11 +15252,6 @@ indexes-of@^1.0.1:
+   resolved "https://registry.yarnpkg.com/indexes-of/-/indexes-of-1.0.1.tgz#f30f716c8e2bd346c7b67d3df3915566a7c05607"
+   integrity sha1-8w9xbI4r00bHtn0985FVZqfAVgc=
+ 
+-indexof@0.0.1:
+-  version "0.0.1"
+-  resolved "https://registry.yarnpkg.com/indexof/-/indexof-0.0.1.tgz#82dc336d232b9062179d05ab3293a66059fd435d"
+-  integrity sha1-gtwzbSMrkGIXnQWrMpOmYFn9Q10=
+-
+ infer-owner@^1.0.3, infer-owner@^1.0.4:
+   version "1.0.4"
+   resolved "https://registry.yarnpkg.com/infer-owner/-/infer-owner-1.0.4.tgz#c4cefcaa8e51051c2a40ba2ce8a3d27295af9467"
+@@ -19118,7 +19060,7 @@ object-is@^1.1.2:
+     define-properties "^1.1.3"
+     es-abstract "^1.18.0-next.1"
+ 
+-object-keys@^1.0.0, object-keys@^1.0.11, object-keys@^1.0.12, object-keys@^1.1.1:
+object-keys@^1.0.11, object-keys@^1.0.12, object-keys@^1.1.1:
+   version "1.1.1"
+   resolved "https://registry.yarnpkg.com/object-keys/-/object-keys-1.1.1.tgz#1c47f272df277f3b1daf061677d9c82e2322c60e"
+   integrity sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA==
+@@ -20722,105 +20664,6 @@ postcss@^7.0.23, postcss@^7.0.26:
+     source-map "^0.6.1"
+     supports-color "^6.1.0"
+ 
+-power-assert-context-formatter@^1.0.7:
+-  version "1.2.0"
+-  resolved "https://registry.yarnpkg.com/power-assert-context-formatter/-/power-assert-context-formatter-1.2.0.tgz#8fbe72692288ec5a7203cdf215c8b838a6061d2a"
+-  integrity sha512-HLNEW8Bin+BFCpk/zbyKwkEu9W8/zThIStxGo7weYcFkKgMuGCHUJhvJeBGXDZf0Qm2xis4pbnnciGZiX0EpSg==
+-  dependencies:
+-    core-js "^2.0.0"
+-    power-assert-context-traversal "^1.2.0"
+-
+-power-assert-context-reducer-ast@^1.0.7:
+-  version "1.2.0"
+-  resolved "https://registry.yarnpkg.com/power-assert-context-reducer-ast/-/power-assert-context-reducer-ast-1.2.0.tgz#c7ca1c9e39a6fb717f7ac5fe9e76e192bf525df3"
+-  integrity sha512-EgOxmZ/Lb7tw4EwSKX7ZnfC0P/qRZFEG28dx/690qvhmOJ6hgThYFm5TUWANDLK5NiNKlPBi5WekVGd2+5wPrw==
+-  dependencies:
+-    acorn "^5.0.0"
+-    acorn-es7-plugin "^1.0.12"
+-    core-js "^2.0.0"
+-    espurify "^1.6.0"
+-    estraverse "^4.2.0"
+-
+-power-assert-context-traversal@^1.2.0:
+-  version "1.2.0"
+-  resolved "https://registry.yarnpkg.com/power-assert-context-traversal/-/power-assert-context-traversal-1.2.0.tgz#f6e71454baf640de5c1c9c270349f5c9ab0b2e94"
+-  integrity sha512-NFoHU6g2umNajiP2l4qb0BRWD773Aw9uWdWYH9EQsVwIZnog5bd2YYLFCVvaxWpwNzWeEfZIon2xtyc63026pQ==
+-  dependencies:
+-    core-js "^2.0.0"
+-    estraverse "^4.1.0"
+-
+-power-assert-formatter@^1.4.1:
+-  version "1.4.1"
+-  resolved "https://registry.yarnpkg.com/power-assert-formatter/-/power-assert-formatter-1.4.1.tgz#5dc125ed50a3dfb1dda26c19347f3bf58ec2884a"
+-  integrity sha1-XcEl7VCj37HdomwZNH879Y7CiEo=
+-  dependencies:
+-    core-js "^2.0.0"
+-    power-assert-context-formatter "^1.0.7"
+-    power-assert-context-reducer-ast "^1.0.7"
+-    power-assert-renderer-assertion "^1.0.7"
+-    power-assert-renderer-comparison "^1.0.7"
+-    power-assert-renderer-diagram "^1.0.7"
+-    power-assert-renderer-file "^1.0.7"
+-
+-power-assert-renderer-assertion@^1.0.7:
+-  version "1.2.0"
+-  resolved "https://registry.yarnpkg.com/power-assert-renderer-assertion/-/power-assert-renderer-assertion-1.2.0.tgz#3db6ffcda106b37bc1e06432ad0d748a682b147a"
+-  integrity sha512-3F7Q1ZLmV2ZCQv7aV7NJLNK9G7QsostrhOU7U0RhEQS/0vhEqrRg2jEJl1jtUL4ZyL2dXUlaaqrmPv5r9kRvIg==
+-  dependencies:
+-    power-assert-renderer-base "^1.1.1"
+-    power-assert-util-string-width "^1.2.0"
+-
+-power-assert-renderer-base@^1.1.1:
+-  version "1.1.1"
+-  resolved "https://registry.yarnpkg.com/power-assert-renderer-base/-/power-assert-renderer-base-1.1.1.tgz#96a650c6fd05ee1bc1f66b54ad61442c8b3f63eb"
+-  integrity sha1-lqZQxv0F7hvB9mtUrWFELIs/Y+s=
+-
+-power-assert-renderer-comparison@^1.0.7:
+-  version "1.2.0"
+-  resolved "https://registry.yarnpkg.com/power-assert-renderer-comparison/-/power-assert-renderer-comparison-1.2.0.tgz#e4f88113225a69be8aa586ead05aef99462c0495"
+-  integrity sha512-7c3RKPDBKK4E3JqdPtYRE9cM8AyX4LC4yfTvvTYyx8zSqmT5kJnXwzR0yWQLOavACllZfwrAGQzFiXPc5sWa+g==
+-  dependencies:
+-    core-js "^2.0.0"
+-    diff-match-patch "^1.0.0"
+-    power-assert-renderer-base "^1.1.1"
+-    stringifier "^1.3.0"
+-    type-name "^2.0.1"
+-
+-power-assert-renderer-diagram@^1.0.7:
+-  version "1.2.0"
+-  resolved "https://registry.yarnpkg.com/power-assert-renderer-diagram/-/power-assert-renderer-diagram-1.2.0.tgz#37f66e8542e5677c5b58e6d72b01c0d9a30e2219"
+-  integrity sha512-JZ6PC+DJPQqfU6dwSmpcoD7gNnb/5U77bU5KgNwPPa+i1Pxiz6UuDeM3EUBlhZ1HvH9tMjI60anqVyi5l2oNdg==
+-  dependencies:
+-    core-js "^2.0.0"
+-    power-assert-renderer-base "^1.1.1"
+-    power-assert-util-string-width "^1.2.0"
+-    stringifier "^1.3.0"
+-
+-power-assert-renderer-file@^1.0.7:
+-  version "1.2.0"
+-  resolved "https://registry.yarnpkg.com/power-assert-renderer-file/-/power-assert-renderer-file-1.2.0.tgz#3f4bebd9e1455d75cf2ac541e7bb515a87d4ce4b"
+-  integrity sha512-/oaVrRbeOtGoyyd7e4IdLP/jIIUFJdqJtsYzP9/88R39CMnfF/S/rUc8ZQalENfUfQ/wQHu+XZYRMaCEZmEesg==
+-  dependencies:
+-    power-assert-renderer-base "^1.1.1"
+-
+-power-assert-util-string-width@^1.2.0:
+-  version "1.2.0"
+-  resolved "https://registry.yarnpkg.com/power-assert-util-string-width/-/power-assert-util-string-width-1.2.0.tgz#6e06d5e3581bb876c5d377c53109fffa95bd91a0"
+-  integrity sha512-lX90G0igAW0iyORTILZ/QjZWsa1MZ6VVY3L0K86e2eKun3S4LKPH4xZIl8fdeMYLfOjkaszbNSzf1uugLeAm2A==
+-  dependencies:
+-    eastasianwidth "^0.2.0"
+-
+-power-assert@^1.2.0:
+-  version "1.6.1"
+-  resolved "https://registry.yarnpkg.com/power-assert/-/power-assert-1.6.1.tgz#b28cbc02ae808afd1431d0cd5093a39ac5a5b1fe"
+-  integrity sha512-VWkkZV6Y+W8qLX/PtJu2Ur2jDPIs0a5vbP0TpKeybNcIXmT4vcKoVkyTp5lnQvTpY/DxacAZ4RZisHRHLJcAZQ==
+-  dependencies:
+-    define-properties "^1.1.2"
+-    empower "^1.3.1"
+-    power-assert-formatter "^1.4.1"
+-    universal-deep-strict-equal "^1.2.1"
+-    xtend "^4.0.0"
+-
+ preceptor-core@~0.10.0:
+   version "0.10.1"
+   resolved "https://registry.yarnpkg.com/preceptor-core/-/preceptor-core-0.10.1.tgz#c31eb026fad91c24b44351308ac97e625ec69511"
+@@ -22981,16 +22824,6 @@ restore-cursor@^3.1.0:
+     onetime "^5.1.0"
+     signal-exit "^3.0.2"
+ 
+-restructured@0.0.11:
+-  version "0.0.11"
+-  resolved "https://registry.yarnpkg.com/restructured/-/restructured-0.0.11.tgz#f914f6b6f358b8e45d6d8ee268926cf1a783f710"
+-  integrity sha1-+RT2tvNYuORdbY7iaJJs8aeD9xA=
+-  dependencies:
+-    commander "^2.9.0"
+-    lodash "^4.0.0"
+-    power-assert "^1.2.0"
+-    unist-util-map "^1.0.2"
+-
+ ret@~0.1.10:
+   version "0.1.15"
+   resolved "https://registry.yarnpkg.com/ret/-/ret-0.1.15.tgz#b8a4825d5bdb1fc3f6f53c2bc33f81388681c7bc"
+@@ -23137,12 +22970,6 @@ rst-selector-parser@^2.2.3:
+     lodash.flattendeep "^4.4.0"
+     nearley "^2.7.10"
+ 
+-"rst2html@github:thoward/rst2html#990cb89":
+-  version "1.0.4"
+-  resolved "https://codeload.github.com/thoward/rst2html/tar.gz/990cb89f2a300cdd9151790be377c4c0840df809"
+-  dependencies:
+-    restructured "0.0.11"
+-
+ rsvp@^4.8.4:
+   version "4.8.5"
+   resolved "https://registry.yarnpkg.com/rsvp/-/rsvp-4.8.5.tgz#c8f155311d167f68f21e168df71ec5b083113734"
+@@ -24427,15 +24254,6 @@ string_decoder@~1.1.1:
+   dependencies:
+     safe-buffer "~5.1.0"
+ 
+-stringifier@^1.3.0:
+-  version "1.4.0"
+-  resolved "https://registry.yarnpkg.com/stringifier/-/stringifier-1.4.0.tgz#d704581567f4526265d00ed8ecb354a02c3fec28"
+-  integrity sha512-cNsMOqqrcbLcHTXEVmkw9y0fwDwkdgtZwlfyolzpQDoAE1xdNGhQhxBUfiDvvZIKl1hnUEgMv66nHwtMz3OjPw==
+-  dependencies:
+-    core-js "^2.0.0"
+-    traverse "^0.6.6"
+-    type-name "^2.0.1"
+-
+ stringify-object@^3.3.0:
+   version "3.3.0"
+   resolved "https://registry.yarnpkg.com/stringify-object/-/stringify-object-3.3.0.tgz#703065aefca19300d3ce88af4f5b3956d7556629"
+@@ -25173,11 +24991,6 @@ tr46@^2.0.2:
+   dependencies:
+     punycode "^2.1.1"
+ 
+-traverse@^0.6.6:
+-  version "0.6.6"
+-  resolved "https://registry.yarnpkg.com/traverse/-/traverse-0.6.6.tgz#cbdf560fd7b9af632502fed40f918c157ea97137"
+-  integrity sha1-y99WD9e5r2MlAv7UD5GMFX6pcTc=
+-
+ tree-kill@^1.1.0:
+   version "1.2.2"
+   resolved "https://registry.yarnpkg.com/tree-kill/-/tree-kill-1.2.2.tgz#4ca09a9092c88b73a7cdc5e8a01b507b0790a0cc"
+@@ -25394,11 +25207,6 @@ type-is@~1.6.17, type-is@~1.6.18:
+     media-typer "0.3.0"
+     mime-types "~2.1.24"
+ 
+-type-name@^2.0.1:
+-  version "2.0.2"
+-  resolved "https://registry.yarnpkg.com/type-name/-/type-name-2.0.2.tgz#efe7d4123d8ac52afff7f40c7e4dec5266008fb4"
+-  integrity sha1-7+fUEj2KxSr/9/QMfk3sUmYAj7Q=
+-
+ type-of@^2.0.1:
+   version "2.0.1"
+   resolved "https://registry.yarnpkg.com/type-of/-/type-of-2.0.1.tgz#e72a1741896568e9f628378d816d6912f7f23972"
+@@ -25590,13 +25398,6 @@ unist-util-is@^4.0.0:
+   resolved "https://registry.yarnpkg.com/unist-util-is/-/unist-util-is-4.0.4.tgz#3e9e8de6af2eb0039a59f50c9b3e99698a924f50"
+   integrity sha512-3dF39j/u423v4BBQrk1AQ2Ve1FxY5W3JKwXxVFzBODQ6WEvccguhgp802qQLKSnxPODE6WuRZtV+ohlUg4meBA==
+ 
+-unist-util-map@^1.0.2:
+-  version "1.0.5"
+-  resolved "https://registry.yarnpkg.com/unist-util-map/-/unist-util-map-1.0.5.tgz#701069b72e1d1cc02db265502a5e82b77c2eb8b7"
+-  integrity sha512-dFil/AN6vqhnQWNCZk0GF/G3+Q5YwsB+PqjnzvpO2wzdRtUJ1E8PN+XRE/PRr/G3FzKjRTJU0haqE0Ekl+O3Ag==
+-  dependencies:
+-    object-assign "^4.0.1"
+-
+ unist-util-position@^3.0.0:
+   version "3.1.0"
+   resolved "https://registry.yarnpkg.com/unist-util-position/-/unist-util-position-3.1.0.tgz#1c42ee6301f8d52f47d14f62bbdb796571fa2d47"
+@@ -25640,15 +25441,6 @@ unist-util-visit@2.0.3, unist-util-visit@^2.0.0:
+     unist-util-is "^4.0.0"
+     unist-util-visit-parents "^3.0.0"
+ 
+-universal-deep-strict-equal@^1.2.1:
+-  version "1.2.2"
+-  resolved "https://registry.yarnpkg.com/universal-deep-strict-equal/-/universal-deep-strict-equal-1.2.2.tgz#0da4ac2f73cff7924c81fa4de018ca562ca2b0a7"
+-  integrity sha1-DaSsL3PP95JMgfpN4BjKViyisKc=
+-  dependencies:
+-    array-filter "^1.0.0"
+-    indexof "0.0.1"
+-    object-keys "^1.0.0"
+-
+ universal-user-agent@^4.0.0:
+   version "4.0.1"
+   resolved "https://registry.yarnpkg.com/universal-user-agent/-/universal-user-agent-4.0.1.tgz#fd8d6cb773a679a709e967ef8288a31fcc03e557"
--- a/config/patches/grafana/session-cookie.patch
+++ b/config/patches/grafana/session-cookie.patch
+diff --git a/conf/defaults.ini b/conf/defaults.ini
+index b716c9e35a..2d3fcef800 100644
+--- a/conf/defaults.ini
+++ b/conf/defaults.ini
+@@ -342,6 +342,9 @@ hidden_users =
+ # Login cookie name
+ login_cookie_name = grafana_session
+ 
+# GitLab Session Cookie name
+gitlab_auth_cookie_name = _gitlab_session
+
+ # The maximum lifetime (duration) an authenticated user can be inactive before being required to login at next visit. Default is 7 days (7d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month). The lifetime resets at each successful token rotation (token_rotation_interval_minutes).
+ login_maximum_inactive_lifetime_duration =
+ 
+diff --git a/pkg/api/pluginproxy/ds_proxy.go b/pkg/api/pluginproxy/ds_proxy.go
+index b5537ba6eb..93f6b398b7 100644
+--- a/pkg/api/pluginproxy/ds_proxy.go
+++ b/pkg/api/pluginproxy/ds_proxy.go
+@@ -222,7 +222,7 @@ func (proxy *DataSourceProxy) director(req *http.Request) {
+ 		}
+ 	}
+ 
+-	proxyutil.ClearCookieHeader(req, keepCookieNames)
+	proxyutil.ClearCookieHeader(req, keepCookieNames, []string{proxy.cfg.LoginCookieName, proxy.cfg.GitLabAuthCookieName})
+ 	proxyutil.PrepareProxyRequest(req)
+ 
+ 	req.Header.Set("User-Agent", fmt.Sprintf("Grafana/%s", setting.BuildVersion))
+diff --git a/pkg/plugins/backendplugin/manager.go b/pkg/plugins/backendplugin/manager.go
+index cc0c902fb6..a6f74b404c 100644
+--- a/pkg/plugins/backendplugin/manager.go
+++ b/pkg/plugins/backendplugin/manager.go
+@@ -275,7 +275,7 @@ func (m *manager) callResourceInternal(w http.ResponseWriter, req *http.Request,
+ 		}
+ 	}
+ 
+-	proxyutil.ClearCookieHeader(req, keepCookieModel.KeepCookies)
+	proxyutil.ClearCookieHeader(req, keepCookieModel.KeepCookies, []string{m.Cfg.LoginCookieName, m.Cfg.GitLabAuthCookieName})
+ 	proxyutil.PrepareProxyRequest(req)
+ 
+ 	body, err := ioutil.ReadAll(req.Body)
+diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
+index 2eb0d6b225..8b41859585 100644
+--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
+@@ -284,6 +284,7 @@ type Cfg struct {
+ 	BasicAuthEnabled             bool
+ 	AdminUser                    string
+ 	AdminPassword                string
+	GitLabAuthCookieName         string
+ 
+ 	// AWS Plugin Auth
+ 	AWSAllowedAuthProviders []string
+@@ -1158,6 +1159,7 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
+ 	auth := iniFile.Section("auth")
+ 
+ 	cfg.LoginCookieName = valueAsString(auth, "login_cookie_name", "grafana_session")
+	cfg.GitLabAuthCookieName = valueAsString(auth, "gitlab_auth_cookie_name", "_gitlab_session")
+ 	maxInactiveDaysVal := auth.Key("login_maximum_inactive_lifetime_days").MustString("")
+ 	if maxInactiveDaysVal != "" {
+ 		maxInactiveDaysVal = fmt.Sprintf("%sd", maxInactiveDaysVal)
+diff --git a/pkg/util/proxyutil/proxyutil.go b/pkg/util/proxyutil/proxyutil.go
+index 3db22a1426..ee56120cc6 100644
+--- a/pkg/util/proxyutil/proxyutil.go
+++ b/pkg/util/proxyutil/proxyutil.go
+@@ -3,6 +3,7 @@ package proxyutil
+ import (
+ 	"net"
+ 	"net/http"
+	"sort"
+ )
+ 
+ // PrepareProxyRequest prepares a request for being proxied.
+@@ -26,19 +27,31 @@ func PrepareProxyRequest(req *http.Request) {
+ 	}
+ }
+ 
+-// ClearCookieHeader clear cookie header, except for cookies specified to be kept.
+-func ClearCookieHeader(req *http.Request, keepCookiesNames []string) {
+-	var keepCookies []*http.Cookie
+// ClearCookieHeader clear cookie header, except for cookies specified to be kept (keepCookiesNames) if not in skipCookiesNames.
+func ClearCookieHeader(req *http.Request, keepCookiesNames []string, skipCookiesNames []string) {
+	keepCookies := map[string]*http.Cookie{}
+ 	for _, c := range req.Cookies() {
+ 		for _, v := range keepCookiesNames {
+ 			if c.Name == v {
+-				keepCookies = append(keepCookies, c)
+				keepCookies[c.Name] = c
+ 			}
+ 		}
+ 	}
+ 
+	for _, v := range skipCookiesNames {
+		delete(keepCookies, v)
+	}
+
+ 	req.Header.Del("Cookie")
+-	for _, c := range keepCookies {
+
+	sortedCookies := []string{}
+	for name := range keepCookies {
+		sortedCookies = append(sortedCookies, name)
+	}
+	sort.Strings(sortedCookies)
+
+	for _, name := range sortedCookies {
+		c := keepCookies[name]
+ 		req.AddCookie(c)
+ 	}
+ }
+diff --git a/pkg/util/proxyutil/proxyutil_test.go b/pkg/util/proxyutil/proxyutil_test.go
+index 5ff61ec1d2..03d816bbcd 100644
+--- a/pkg/util/proxyutil/proxyutil_test.go
+++ b/pkg/util/proxyutil/proxyutil_test.go
+@@ -49,7 +49,7 @@ func TestClearCookieHeader(t *testing.T) {
+ 		require.NoError(t, err)
+ 		req.AddCookie(&http.Cookie{Name: "cookie"})
+ 
+-		ClearCookieHeader(req, nil)
+		ClearCookieHeader(req, nil, nil)
+ 		require.NotContains(t, req.Header, "Cookie")
+ 	})
+ 
+@@ -60,8 +60,20 @@ func TestClearCookieHeader(t *testing.T) {
+ 		req.AddCookie(&http.Cookie{Name: "cookie2"})
+ 		req.AddCookie(&http.Cookie{Name: "cookie3"})
+ 
+-		ClearCookieHeader(req, []string{"cookie1", "cookie3"})
+		ClearCookieHeader(req, []string{"cookie1", "cookie3"}, nil)
+ 		require.Contains(t, req.Header, "Cookie")
+ 		require.Equal(t, "cookie1=; cookie3=", req.Header.Get("Cookie"))
+ 	})
+
+	t.Run("Clear cookie header with cookies to keep and skip should clear Cookie header and keep cookies", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, "/", nil)
+		require.NoError(t, err)
+		req.AddCookie(&http.Cookie{Name: "cookie1"})
+		req.AddCookie(&http.Cookie{Name: "cookie2"})
+		req.AddCookie(&http.Cookie{Name: "cookie3"})
+
+		ClearCookieHeader(req, []string{"cookie1", "cookie3"}, []string{"cookie3"})
+		require.Contains(t, req.Header, "Cookie")
+		require.Equal(t, "cookie1=", req.Header.Get("Cookie"))
+	})
+ }
--- a/config/software/grafana.rb
+++ b/config/software/grafana.rb
@@ -42,6 +42,8 @@ build do
  env['CYPRESS_INSTALL_BINARY'] = '0'
  
  patch source: '1-cve-2022-31107-oauth-vulnerability.patch'
+  patch source: 'session-cookie.patch'
+  patch source: 'cve-2023-1410.patch'
  
  # Build backend
  make 'build-go', env: env