Handle decryption in saved object find with partial fields #200049
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:Security/Encrypted Saved Objects
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
jeramysoucy
added
bug
|
Pinging @elastic/kibana-security (Team:Security) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Related: #198703
Description
The saved object repository's
findfunction allows partial objects to be retrieved via theSavedObjectsFindOptions.fieldsparameter. When this occurs, the partial documents do not undergo migration, however, decryption is still attempted on any attributes withdangerouslyExposeValueset to true.Decryption will fail if:
findis used to resolve encrypted saved object types ANDdangerouslyExposeValueset to true ANDSavedObjectsFindOptions.fieldsparameter contains one of the encrypted attributes that is "dangerously exposed" ANDSavedObjectsFindOptions.fieldsparameter does not include all of the AAD attributesNote: The
findfunction handles decryption failures gracefully, however, an error log is generated for every decryption failure that occurs. Our serverless dashboards and alerts will pick up this failure without knowing the context.This case may never occur, but because it is possible, it should be handled appropriately.
Potential solution
One solution would be to first determine if the find parameters target dangerously exposed encrypted attributes, and if it does, augment the fields parameter value with the required AAD fields in order to perform decryption successfully. The additional fields could be stripped from the objects before returning the response.
The text was updated successfully, but these errors were encountered: