[18:06:43] PROJECT_CACHE_DIR=/data/pruva/project-cache/6c6f6fd2-6e61-4267-8db1-032ee6a303f9 [18:06:43] REPO=/data/pruva/project-cache/6c6f6fd2-6e61-4267-8db1-032ee6a303f9/repo [18:06:43] GO=go version go1.26.4 linux/amd64 [18:06:43] original repo HEAD=a209162c2b46da5bc3e39db73452c09436ecd8ff [18:06:43] fixed commit=8891796ca1086cd234e1715ea71d8db0073cc160 vulnerable parent=c00083433312adb7b7cfef83f74751e1216f67f8 [18:06:43] library vulnerable allowlist: "iam.grafana.app": map[string]interface{}{"users": nil, "teams": nil}, === RUN TestServiceAccountsRBACBypass access_serviceaccount_test.go:18: IsCompatibleWithRBAC(iam.grafana.app, serviceaccounts) = false access_serviceaccount_test.go:30: BEHAVIOUR: VULNERABLE - serviceaccounts absent from allowlist, authz is bypassed access_serviceaccount_test.go:34: Check serviceaccounts: Allowed=true access_serviceaccount_test.go:35: Compile serviceaccounts checker(alpha-sa) = true --- PASS: TestServiceAccountsRBACBypass (0.00s) PASS ok github.com/grafana/grafana/pkg/storage/unified/resource 0.051s [18:06:49] library fixed allowlist: "iam.grafana.app": map[string]interface{}{"users": nil, "teams": nil, "serviceaccounts": nil}, === RUN TestServiceAccountsRBACBypass access_serviceaccount_test.go:18: IsCompatibleWithRBAC(iam.grafana.app, serviceaccounts) = true access_serviceaccount_test.go:26: BEHAVIOUR: FIXED - serviceaccounts in allowlist, underlying deny client is consulted access_serviceaccount_test.go:34: Check serviceaccounts: Allowed=false access_serviceaccount_test.go:35: Compile serviceaccounts checker(alpha-sa) = false --- PASS: TestServiceAccountsRBACBypass (0.00s) PASS ok github.com/grafana/grafana/pkg/storage/unified/resource 0.043s [18:06:55] library sanity check confirmed vulnerable/fixed authzLimitedClient divergence [18:06:55] api_http vulnerable allowlist: "iam.grafana.app": map[string]interface{}{"users": nil, "teams": nil}, [18:06:55] api_http compiling package for vulnerable [18:07:06] api_http running real Grafana HTTP integration for vulnerable === RUN TestIntegrationServiceAccountHTTPScopedListBypass testinfra.go:76: Using test database type sqlite3 host port user name path /home/vscode/.cache/grafana-test/grafana-test-2373580478.db testinfra.go:76: Grafana is listening on 127.0.0.1:37329 serviceaccount_http_bypass_integration_test.go:57: HTTP_SURFACE method=GET path=/apis/iam.grafana.app/v0alpha1/namespaces/default/serviceaccounts serviceaccount_http_bypass_integration_test.go:58: LOW_PRIV_USER login=scoped-sa-reader basic_role=Viewer grant=serviceaccounts:read scoped_to_alpha_only serviceaccount_http_bypass_integration_test.go:109: HTTP_LIST_RESULT_JSON {"items":2,"names":["alpha-sa","beta-sa"],"path":"/apis/iam.grafana.app/v0alpha1/namespaces/default/serviceaccounts","status":200} serviceaccount_http_bypass_integration_test.go:110: HTTP_RESPONSE_BODY_PREFIX {"kind":"ServiceAccountList","apiVersion":"iam.grafana.app/v0alpha1","metadata":{"resourceVersion":"1783188460099014"},"items":[{"kind":"ServiceAccount","apiVersion":"iam.grafana.app/v0alpha1","metadata":{"name":"alpha-sa","namespace":"default","uid":"8413367d-6baf-4be4-b91b-7a3ae6eacfd1","resourceVersion":"1783188460061998","generation":1,"creationTimestamp":"2026-07-04T18:07:40Z","labels":{"grafana.app/deprecatedInternalID":"1812972656238592"},"annotations":{"grafana.app/createdBy":"user:afr47 serviceaccount_http_bypass_integration_test.go:115: BEHAVIOUR: VULNERABLE_HTTP - scoped low-priv user received unauthorized beta-sa over original HTTP serviceaccounts list endpoint --- PASS: TestIntegrationServiceAccountHTTPScopedListBypass (34.44s) PASS [18:07:41] api_http fixed allowlist: "iam.grafana.app": map[string]interface{}{"users": nil, "teams": nil, "serviceaccounts": nil}, [18:07:41] api_http compiling package for fixed [18:07:53] api_http running real Grafana HTTP integration for fixed === RUN TestIntegrationServiceAccountHTTPScopedListBypass testinfra.go:76: Using test database type sqlite3 host port user name path /home/vscode/.cache/grafana-test/grafana-test-705087161.db testinfra.go:76: Grafana is listening on 127.0.0.1:37211 serviceaccount_http_bypass_integration_test.go:57: HTTP_SURFACE method=GET path=/apis/iam.grafana.app/v0alpha1/namespaces/default/serviceaccounts serviceaccount_http_bypass_integration_test.go:58: LOW_PRIV_USER login=scoped-sa-reader basic_role=Viewer grant=serviceaccounts:read scoped_to_alpha_only serviceaccount_http_bypass_integration_test.go:109: HTTP_LIST_RESULT_JSON {"items":1,"names":["alpha-sa"],"path":"/apis/iam.grafana.app/v0alpha1/namespaces/default/serviceaccounts","status":200} serviceaccount_http_bypass_integration_test.go:110: HTTP_RESPONSE_BODY_PREFIX {"kind":"ServiceAccountList","apiVersion":"iam.grafana.app/v0alpha1","metadata":{"resourceVersion":"1783188506041995"},"items":[{"kind":"ServiceAccount","apiVersion":"iam.grafana.app/v0alpha1","metadata":{"name":"alpha-sa","namespace":"default","uid":"c561bb14-cc4a-4cb2-b93e-489b29c2fb7c","resourceVersion":"1783188506017010","generation":1,"creationTimestamp":"2026-07-04T18:08:26Z","labels":{"grafana.app/deprecatedInternalID":"1813165406695424"},"annotations":{"grafana.app/createdBy":"user:bfr47 serviceaccount_http_bypass_integration_test.go:117: BEHAVIOUR: FIXED_HTTP - scoped low-priv user list was filtered to authorized alpha-sa --- PASS: TestIntegrationServiceAccountHTTPScopedListBypass (33.60s) PASS [18:08:27] HTTP PRODUCT PROOF CONFIRMED: original endpoint returns unauthorized beta-sa on vulnerable build and filters it on fixed build [18:08:27] RESULT: CONFIRMED api_remote authz bypass