It's Grafana vulnerable to SQL Injection

Hello guys, since I’m new to grafana, I have some questions about security. Currently I’m using grafana and lets say that for a TimeSeries chart I’m using this query

SELECT time, quantity FROM
production 
WHERE category = '$category'
ORDER BY time;

And $category it’s a variable that can be changed on URL to change the Select results.
Like this:
http://mydomain.com/grafana/d-solo/be2a94cf-de6b-4274-a590-cc049dd49c7e/ghg-emissions-country-level?orgId=1&theme=light&panelId=2&var-category=**something**
My question is, on grafana it’s this query somehow vulnerable to SQL injection or grafana handles that?

And another thing, it’s the API, because I’m using embed panels so the embed panels will make requests to Grafana API, can they manipulate or somehow make SQL injection via API?

What kind of permissions does the user for the mysql connection have?
Don’t give blanket pernissions. Also dont give user permissions. Use security groups and add the grafana user to that security group and configure that sec group to have limited permissions

Regardless of what grafana does, you need to control what you have control over which is securing your database.

1 Like

I only granted read permissions for the table in question, and the user cannot do anything else except for performing a SELECT operation on the assigned database.

I believe this configuration is “secure,” and this is how it is intended to be done for Grafana.