[18:08:50] PROJECT_CACHE_DIR=/data/pruva/project-cache/6c6f6fd2-6e61-4267-8db1-032ee6a303f9 [18:08:50] REPO=/data/pruva/project-cache/6c6f6fd2-6e61-4267-8db1-032ee6a303f9/repo [18:08:50] GO=go version go1.26.4 linux/amd64 [18:08:50] original repo HEAD=a4703d4dca7ed6f682739e2fc75227c6ce69f8c2 [18:08:50] fixed commit=8891796ca1086cd234e1715ea71d8db0073cc160 vulnerable parent=c00083433312adb7b7cfef83f74751e1216f67f8 [18:08:50] library vulnerable allowlist: "iam.grafana.app": map[string]interface{}{"users": nil, "teams": nil}, === RUN TestServiceAccountsRBACBypass access_serviceaccount_test.go:18: IsCompatibleWithRBAC(iam.grafana.app, serviceaccounts) = false access_serviceaccount_test.go:30: BEHAVIOUR: VULNERABLE - serviceaccounts absent from allowlist, authz is bypassed access_serviceaccount_test.go:34: Check serviceaccounts: Allowed=true access_serviceaccount_test.go:35: Compile serviceaccounts checker(alpha-sa) = true --- PASS: TestServiceAccountsRBACBypass (0.00s) PASS ok github.com/grafana/grafana/pkg/storage/unified/resource 0.040s [18:08:54] library fixed allowlist: "iam.grafana.app": map[string]interface{}{"users": nil, "teams": nil, "serviceaccounts": nil}, === RUN TestServiceAccountsRBACBypass access_serviceaccount_test.go:18: IsCompatibleWithRBAC(iam.grafana.app, serviceaccounts) = true access_serviceaccount_test.go:26: BEHAVIOUR: FIXED - serviceaccounts in allowlist, underlying deny client is consulted access_serviceaccount_test.go:34: Check serviceaccounts: Allowed=false access_serviceaccount_test.go:35: Compile serviceaccounts checker(alpha-sa) = false --- PASS: TestServiceAccountsRBACBypass (0.00s) PASS ok github.com/grafana/grafana/pkg/storage/unified/resource 0.041s [18:08:57] library sanity check confirmed vulnerable/fixed authzLimitedClient divergence [18:08:57] api_http vulnerable allowlist: "iam.grafana.app": map[string]interface{}{"users": nil, "teams": nil}, [18:08:57] api_http compiling package for vulnerable [18:09:07] api_http running real Grafana HTTP integration for vulnerable === RUN TestIntegrationServiceAccountHTTPScopedListBypass testinfra.go:76: Using test database type sqlite3 host port user name path /home/vscode/.cache/grafana-test/grafana-test-4135989987.db testinfra.go:76: Grafana is listening on 127.0.0.1:36869 serviceaccount_http_bypass_integration_test.go:57: HTTP_SURFACE method=GET path=/apis/iam.grafana.app/v0alpha1/namespaces/default/serviceaccounts serviceaccount_http_bypass_integration_test.go:58: LOW_PRIV_USER login=scoped-sa-reader basic_role=Viewer grant=serviceaccounts:read scoped_to_alpha_only serviceaccount_http_bypass_integration_test.go:109: HTTP_LIST_RESULT_JSON {"items":2,"names":["alpha-sa","beta-sa"],"path":"/apis/iam.grafana.app/v0alpha1/namespaces/default/serviceaccounts","status":200} serviceaccount_http_bypass_integration_test.go:110: HTTP_RESPONSE_BODY_PREFIX {"kind":"ServiceAccountList","apiVersion":"iam.grafana.app/v0alpha1","metadata":{"resourceVersion":"1783188569567018"},"items":[{"kind":"ServiceAccount","apiVersion":"iam.grafana.app/v0alpha1","metadata":{"name":"alpha-sa","namespace":"default","uid":"b963fa6d-e36c-44f3-91e6-e3528a14423f","resourceVersion":"1783188569541992","generation":1,"creationTimestamp":"2026-07-04T18:09:29Z","labels":{"grafana.app/deprecatedInternalID":"1813431847460864"},"annotations":{"grafana.app/createdBy":"user:ffr47 serviceaccount_http_bypass_integration_test.go:115: BEHAVIOUR: VULNERABLE_HTTP - scoped low-priv user received unauthorized beta-sa over original HTTP serviceaccounts list endpoint --- PASS: TestIntegrationServiceAccountHTTPScopedListBypass (22.88s) PASS [18:09:30] api_http fixed allowlist: "iam.grafana.app": map[string]interface{}{"users": nil, "teams": nil, "serviceaccounts": nil}, [18:09:30] api_http compiling package for fixed [18:09:41] api_http running real Grafana HTTP integration for fixed === RUN TestIntegrationServiceAccountHTTPScopedListBypass testinfra.go:76: Using test database type sqlite3 host port user name path /home/vscode/.cache/grafana-test/grafana-test-1423840551.db testinfra.go:76: Grafana is listening on 127.0.0.1:40001 serviceaccount_http_bypass_integration_test.go:57: HTTP_SURFACE method=GET path=/apis/iam.grafana.app/v0alpha1/namespaces/default/serviceaccounts serviceaccount_http_bypass_integration_test.go:58: LOW_PRIV_USER login=scoped-sa-reader basic_role=Viewer grant=serviceaccounts:read scoped_to_alpha_only serviceaccount_http_bypass_integration_test.go:109: HTTP_LIST_RESULT_JSON {"items":1,"names":["alpha-sa"],"path":"/apis/iam.grafana.app/v0alpha1/namespaces/default/serviceaccounts","status":200} serviceaccount_http_bypass_integration_test.go:110: HTTP_RESPONSE_BODY_PREFIX {"kind":"ServiceAccountList","apiVersion":"iam.grafana.app/v0alpha1","metadata":{"resourceVersion":"1783188603731990"},"items":[{"kind":"ServiceAccount","apiVersion":"iam.grafana.app/v0alpha1","metadata":{"name":"alpha-sa","namespace":"default","uid":"77254fb7-acca-49f3-91f1-4fb5c5849078","resourceVersion":"1783188603691998","generation":1,"creationTimestamp":"2026-07-04T18:10:03Z","labels":{"grafana.app/deprecatedInternalID":"1813575084924928"},"annotations":{"grafana.app/createdBy":"user:bfr47 serviceaccount_http_bypass_integration_test.go:117: BEHAVIOUR: FIXED_HTTP - scoped low-priv user list was filtered to authorized alpha-sa --- PASS: TestIntegrationServiceAccountHTTPScopedListBypass (23.63s) PASS [18:10:04] HTTP PRODUCT PROOF CONFIRMED: original endpoint returns unauthorized beta-sa on vulnerable build and filters it on fixed build [18:10:05] RESULT: CONFIRMED api_remote authz bypass