Limit the category param in find cases API.

Tests.
elastic · Jun 20, 2023 · 532f240 · 532f240
1 parent 4310229
commit 532f240
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 3 deletions.
diff --git a/x-pack/plugins/cases/common/constants/index.ts b/x-pack/plugins/cases/common/constants/index.ts
@@ -104,6 +104,7 @@ export const MAX_DOCS_PER_PAGE = 10000 as const;
 export const MAX_BULK_GET_ATTACHMENTS = MAX_DOCS_PER_PAGE;
 export const MAX_CONCURRENT_SEARCHES = 10 as const;
 export const MAX_BULK_GET_CASES = 1000 as const;
+export const MAX_CATEGORY_FILTER_LENGTH = 100 as const;
 
 /**
  * Validation

diff --git a/x-pack/plugins/cases/server/client/cases/find.test.ts b/x-pack/plugins/cases/server/client/cases/find.test.ts
@@ -8,6 +8,7 @@ import { v1 as uuidv1 } from 'uuid';
 
 import type { Case } from '../../../common/api';
 
+import { MAX_CATEGORY_FILTER_LENGTH } from '../../../common/constants';
 import { flattenCaseSavedObject } from '../../common/utils';
 import { mockCases } from '../../mocks';
 import { createCasesClientMockArgs, createCasesClientMockFindRequest } from '../mocks';
@@ -103,5 +104,15 @@ describe('find', () => {
         'Error: Invalid value "foobar" supplied to "searchFields"'
       );
     });
+
+    it(`invalid category array with > ${MAX_CATEGORY_FILTER_LENGTH} items`, async () => {
+      const category = Array(MAX_CATEGORY_FILTER_LENGTH + 1).fill('foobar');
+
+      const findRequest = createCasesClientMockFindRequest({ category });
+
+      await expect(find(findRequest, clientArgs)).rejects.toThrow(
+        `Error: Too many categories provided. The maximum allowed is ${MAX_CATEGORY_FILTER_LENGTH}`
+      );
+    });
   });
 });
diff --git a/x-pack/plugins/cases/server/client/cases/find.ts b/x-pack/plugins/cases/server/client/cases/find.ts
@@ -8,6 +8,7 @@
 import { isEmpty } from 'lodash';
 import Boom from '@hapi/boom';
 
+import { MAX_CATEGORY_FILTER_LENGTH } from '../../../common/constants';
 import type { CasesFindResponse, CasesFindRequest } from '../../../common/api';
 import {
   CasesFindRequestRt,
@@ -24,6 +25,16 @@ import { LICENSING_CASE_ASSIGNMENT_FEATURE } from '../../common/constants';
 import type { CasesFindQueryParams } from '../types';
 import { decodeOrThrow } from '../../../common/api/runtime_types';
 
+/**
+ * Throws an error if the user tries to filter by more than MAX_CATEGORY_FILTER_LENGTH categories.
+ */
+function throwIfCategoryParamTooLong(category?: string[] | string) {
+  if (Array.isArray(category) && category.length > MAX_CATEGORY_FILTER_LENGTH)
+    throw Boom.badRequest(
+      `Too many categories provided. The maximum allowed is ${MAX_CATEGORY_FILTER_LENGTH}`
+    );
+}
+
 /**
  * Retrieves a case and optionally its comments.
  *
@@ -44,8 +55,7 @@ export const find = async (
   try {
     const queryParams = decodeWithExcessOrThrow(CasesFindRequestRt)(params);
 
-    const { filter: authorizationFilter, ensureSavedObjectsAreAuthorized } =
-      await authorization.getAuthorizationFilter(Operations.findCases);
+    throwIfCategoryParamTooLong(queryParams.category);
 
     /**
      * Assign users to a case is only available to Platinum+
@@ -63,6 +73,9 @@ export const find = async (
       licensingService.notifyUsage(LICENSING_CASE_ASSIGNMENT_FEATURE);
     }
 
+    const { filter: authorizationFilter, ensureSavedObjectsAreAuthorized } =
+      await authorization.getAuthorizationFilter(Operations.findCases);
+
     const queryArgs: CasesFindQueryParams = {
       tags: queryParams.tags,
       reporters: queryParams.reporters,

diff --git a/x-pack/test/cases_api_integration/security_and_spaces/tests/common/cases/find_cases.ts b/x-pack/test/cases_api_integration/security_and_spaces/tests/common/cases/find_cases.ts
@@ -8,7 +8,7 @@
 import { v1 as uuidv1 } from 'uuid';
 
 import expect from '@kbn/expect';
-import { CASES_URL } from '@kbn/cases-plugin/common/constants';
+import { CASES_URL, MAX_CATEGORY_FILTER_LENGTH } from '@kbn/cases-plugin/common/constants';
 import { Case, CaseSeverity, CaseStatuses, CommentType } from '@kbn/cases-plugin/common/api';
 import { ALERTING_CASES_SAVED_OBJECT_INDEX } from '@kbn/core-saved-objects-server';
 import { FtrProviderContext } from '../../../../common/ftr_provider_context';
@@ -349,6 +349,12 @@ export default ({ getService }: FtrProviderContext): void => {
         });
       });
 
+      it('unhappy path - 400s when bad category field supplied', async () => {
+        const category = Array(MAX_CATEGORY_FILTER_LENGTH + 1).fill('foobar');
+
+        await findCases({ supertest, query: { category }, expectedHttpCode: 400 });
+      });
+
       describe('search and searchField', () => {
         beforeEach(async () => {
           await createCase(supertest, postCaseReq);