Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable prototype pollution protection in TSVB #85952

Merged
merged 17 commits into from
Dec 31, 2020

Conversation

DianaDerevyankina
Copy link
Contributor

@DianaDerevyankina DianaDerevyankina commented Dec 15, 2020

Closes #78908

Summary

  • Rename validateObject function to ensureNoUnsafeProperties
  • Moved ensureNoUnsafeProperties to @kbn/std package
  • Used ensureNoUnsafeProperties in TSVB endpoint before the schema validation

Checklist

For maintainers

@DianaDerevyankina DianaDerevyankina added Feature:TSVB TSVB (Time Series Visual Builder) Team:Visualizations Visualization editors, elastic-charts and infrastructure v8.0.0 release_note:skip Skip the PR/issue when compiling release notes v7.11.0 labels Dec 15, 2020
@DianaDerevyankina DianaDerevyankina self-assigned this Dec 15, 2020
@DianaDerevyankina
Copy link
Contributor Author

@elasticmachine merge upstream

@@ -41,6 +42,7 @@ export const visDataRoutes = (
},
async (requestContext, request, response) => {
try {
validateObject(request.body);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@flash1293 could you please confirm that it's exactly is what you described in #78908.

Honestly I don't fully understand why we need it cause I've tried to add __proto__, prototype properties into payload and got the following error: "Invalid request payload JSON format"
Just want to be double sure that we really need it

@alexwizp alexwizp requested a review from flash1293 December 15, 2020 15:10
@flash1293
Copy link
Contributor

@elasticmachine merge upstream

Copy link
Contributor

@flash1293 flash1293 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested this and it's not doing what it should. I'm not sure how validateObject should be used (some documentation would be great), but the request should fail if sensitive keys are used in the request body. It seems like something in the stack is already doing this for the __proto__ key, but it didn't seem to catch constructor.

If the validation fails, it shouldn't just be logged but fail the request with a 400 status code.

@flash1293
Copy link
Contributor

I just realized I'm maybe misunderstanding how constructor is handled - @legrego is it possible this basic form of prototype pollution protection is already baked in into the stack for some reason on a lower level and we don't need to catch it in the route handler?

@legrego
Copy link
Member

legrego commented Dec 16, 2020

I just realized I'm maybe misunderstanding how constructor is handled

constructor on its own isn't problematic, but constructor.prototype is. validateObject should be stopping inputs that contain:

{
  "constructor": { "prototype": "any" }
}

is it possible this basic form of prototype pollution protection is already baked in into the stack for some reason on a lower level and we don't need to catch it in the route handler?

Our newer version of Hapi may be protecting against some cases of prototype pollution, but it doesn't catch everything. It appears to be trying to catch __proto__, but I haven't tested this locally to verify. Based on what I'm seeing, I wouldn't expect Hapi to throw an error when this happens though, so the Invalid request payload JSON format error might be happening for a different reason.

@flash1293
Copy link
Contributor

Thanks @legrego ! @dziyanadzeraviankina , @alexwizp #85952 (review) still holds :)

@flash1293 flash1293 marked this pull request as ready for review December 17, 2020 17:29
@flash1293 flash1293 requested a review from a team December 17, 2020 17:29
@flash1293 flash1293 requested a review from a team as a code owner December 17, 2020 17:29
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-app (Team:KibanaApp)

Copy link
Contributor

@flash1293 flash1293 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

KibanaApp changes LGTM - tested in chrome and __proto__ and constructor.prototype is caught correctly.

@legrego Just to be sure could you take a look as well?


[Home](./index.md) > [kibana-plugin-core-server](./kibana-plugin-core-server.md) > [validateObject](./kibana-plugin-core-server.validateobject.md)

## validateObject() function
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might make sense to add an explanatory sentence to the documentation of this helper

@flash1293
Copy link
Contributor

I'm not sure whether we have an issue for this, but we discussed to remove the soft validation which is still in there. I guess we will tackle that on a separate PR?

@@ -94,3 +94,4 @@ export {
} from './cookie_session_storage';
export * from './types';
export { BasePath, IBasePath } from './base_path_service';
export { validateObject } from './prototype_pollution';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would really like to avoid static functions leaking outside of core. If this needs to be used in plugins, maybe moving it to a package (existing or new) would make sense. wdyt @legrego?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not opposed to moving this into a package. That'd certainly make it easier to consume

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dziyanadzeraviankina we are currently discussing the details with @legrego. Note that if it's mandatory to have this merged for 7.11, we could do the moving/refactoring at a later time. So considerer this approved on my side if this is urgent.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if there's a suitable package for that, maybe it could be moved to kbn-config-schema package, or is it better to create a new one?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would @kbn/std work for this?

Copy link
Member

@legrego legrego left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Naming aside, LGTM!

Exporting a function named validateObject from a package named @kbn/std is really vague. It's not clear from reading this what the purpose of validateObject is. That said, naming is hard so don't consider this a blocker. One idea: ensureNoUnsafeProperties

Copy link
Contributor

@alexwizp alexwizp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@sulemanof sulemanof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@DianaDerevyankina
Copy link
Contributor Author

@pgayvallet could you review the changes, please?

@flash1293
Copy link
Contributor

Still LGTM from the KibanaApp side :)

Copy link
Contributor

@mshustov mshustov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok for the core team changes

@alexwizp
Copy link
Contributor

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
core 448 449 +1
data 611 612 +1
fleet 457 458 +1
graph 170 171 +1
urlDrilldown 28 29 +1
total +5

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
data 268.1KB 270.8KB +2.7KB
fleet 964.6KB 967.2KB +2.7KB
graph 1.3MB 1.3MB +2.7KB
total +8.1KB

Distributable file count

id before after diff
default 48027 48026 -1
oss 27714 27713 -1

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
core 556.2KB 558.9KB +2.7KB
urlDrilldown 51.2KB 53.9KB +2.7KB
total +5.4KB

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@alexwizp alexwizp merged commit aecee92 into elastic:master Dec 31, 2020
alexwizp pushed a commit to alexwizp/kibana that referenced this pull request Dec 31, 2020
* Enable prototype pollution protection in TSVB

Closes elastic#78908

* Update Dock API Changes

* Replace logging failed in validateObject validation with 400 error

* Move validateObject to kbn-std package and add a description

* Update Doc API Changes

* Rename validateObject function to ensureNoUnsafeProperties

* Rename other validateObject occurrences

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
@alexwizp alexwizp added v7.12.0 and removed v7.11.0 labels Dec 31, 2020
alexwizp added a commit that referenced this pull request Dec 31, 2020
* Enable prototype pollution protection in TSVB

Closes #78908

* Update Dock API Changes

* Replace logging failed in validateObject validation with 400 error

* Move validateObject to kbn-std package and add a description

* Update Doc API Changes

* Rename validateObject function to ensureNoUnsafeProperties

* Rename other validateObject occurrences

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Diana Derevyankina <54894989+DziyanaDzeraviankina@users.noreply.github.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
jloleysens added a commit to jloleysens/kibana that referenced this pull request Jan 4, 2021
…meline-component

* 'master' of github.com:elastic/kibana: (955 commits)
  remove SameSite:None workaround (elastic#86994)
  URL encoding for URL drilldown (elastic#86902)
  [Security Solution] Fix few styling issues (elastic#87045)
  [APM] Custom links can still be created with a read only user. (elastic#87089)
  prevent double update (elastic#86794)
  Upgrade @hapi/hoek to revert hack introduced in hapi v20 upgrade (elastic#87113)
  [APM] Every time the new Header Icon is clicked it fetches data (elastic#87093)
  [APM] Add range query to service map trace walk (elastic#86631)
  [Discover] Deangularize navbar in context app (elastic#86353)
  skip "should schedule actions on legacy alerts" elastic#87010
  🍾 update notice text for 2021
  [logstash] remove "upgrade" functionality now that .logstash is a system index (elastic#87056)
  Enable prototype pollution protection in TSVB (elastic#85952)
  [Security Solution] add a consistent spelling of ES in Policy Response (elastic#87073)
  [SECURITY_SOLUTION][ENDPOINT] Delete Endpoint Policy List code (elastic#87063)
  Adds more URLs to the docs links service (elastic#86972)
  Add missing backticks in reporting-settings.asciidoc (elastic#77979)
  [test/functional_cors] 9000 is sometimes in use, make getPort random (elastic#87050)
  [Security Solution] Fix Timeline filter EuiSuperSelect styling (elastic#87033)
  [Lens] Fix duplicate suggestions on single-bucket charts (elastic#86996)
  ...

# Conflicts:
#	x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/components/index.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:TSVB TSVB (Time Series Visual Builder) release_note:skip Skip the PR/issue when compiling release notes Team:Visualizations Visualization editors, elastic-charts and infrastructure v7.12.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Enable prototype pollution protection in TSVB
9 participants