Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable prototype pollution protection in TSVB #85952

Merged
merged 17 commits into from
Dec 31, 2020
Merged

Enable prototype pollution protection in TSVB #85952

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
2724105
Enable prototype pollution protection in TSVB
DianaDerevyankina Dec 15, 2020
8f12f42
Merge branch 'master' into Diana/78908
kibanamachine Dec 15, 2020
389eb9c
Merge branch 'master' into Diana/78908
DianaDerevyankina Dec 15, 2020
9b74da8
Merge branch 'master' into Diana/78908
DianaDerevyankina Dec 16, 2020
631bd57
Update Dock API Changes
DianaDerevyankina Dec 16, 2020
01711fd
Merge branch 'master' into Diana/78908
kibanamachine Dec 16, 2020
0e2ce95
Merge branch 'master' into Diana/78908
DianaDerevyankina Dec 17, 2020
e773319
Merge branch 'Diana/78908' of https://github.com/DianaDerevyankina/ki…
DianaDerevyankina Dec 17, 2020
679417c
Replace logging failed in validateObject validation with 400 error
DianaDerevyankina Dec 17, 2020
82cff88
Merge branch 'master' into Diana/78908
DianaDerevyankina Dec 18, 2020
0555f02
Move validateObject to kbn-std package and add a description
DianaDerevyankina Dec 18, 2020
4160164
Merge branch 'master' into Diana/78908
DianaDerevyankina Dec 18, 2020
7b9aff0
Update Doc API Changes
DianaDerevyankina Dec 18, 2020
b9185ee
Merge branch 'master' into Diana/78908
DianaDerevyankina Dec 21, 2020
4261fbe
Rename validateObject function to ensureNoUnsafeProperties
DianaDerevyankina Dec 21, 2020
8f1f8a9
Rename other validateObject occurrences
DianaDerevyankina Dec 21, 2020
59a0e40
Merge branch 'master' into Diana/78908
kibanamachine Dec 30, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
0 ..._snapshots__/validate_object.test.ts.snap → ..._snapshots__/validate_object.test.ts.snap
View file
Open in desktop
File renamed without changes.
1 change: 1 addition & 0 deletions packages/kbn-std/src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,4 +27,5 @@ export { withTimeout } from './promise';
export { isRelativeUrl, modifyUrl, getUrlOrigin, URLMeaningfulParts } from './url';
export { unset } from './unset';
export { getFlattenedObject } from './get_flattened_object';
export { validateObject } from './validate_object';
export * from './rxjs_7';
0 ...ototype_pollution/validate_object.test.ts → packages/kbn-std/src/validate_object.test.ts
View file
Open in desktop
File renamed without changes.
0 ...tp/prototype_pollution/validate_object.ts → packages/kbn-std/src/validate_object.ts
View file
Open in desktop
File renamed without changes.
2 changes: 1 addition & 1 deletion src/core/server/http/http_tools.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,8 @@ import Hoek from '@hapi/hoek';
import type { ServerOptions as TLSOptions } from 'https';
import type { ValidationError } from 'joi';
import uuid from 'uuid';
import { validateObject } from '@kbn/std';
import { HttpConfig } from './http_config';
import { validateObject } from './prototype_pollution';

const corsAllowedHeaders = ['Accept', 'Authorization', 'Content-Type', 'If-None-Match', 'kbn-xsrf'];
/**
Expand Down
20 changes: 0 additions & 20 deletions src/core/server/http/prototype_pollution/index.ts
View file
Open in desktop

This file was deleted.

9 changes: 9 additions & 0 deletions src/plugins/vis_type_timeseries/server/routes/vis.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@

import { IRouter, KibanaRequest } from 'kibana/server';
import { schema } from '@kbn/config-schema';
import { validateObject } from '@kbn/std';
import { getVisData, GetVisDataOptions } from '../lib/get_vis_data';
import { visPayloadSchema } from '../../common/vis_schema';
import { ROUTES } from '../../common/constants';
Expand All @@ -40,6 +41,14 @@ export const visDataRoutes = (
},
},
async (requestContext, request, response) => {
try {
validateObject(request.body);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@flash1293 could you please confirm that it's exactly is what you described in #78908.

Honestly I don't fully understand why we need it cause I've tried to add __proto__, prototype properties into payload and got the following error: "Invalid request payload JSON format"
Just want to be double sure that we really need it

} catch (error) {
return response.badRequest({
body: error.message,
});
}

try {
visPayloadSchema.validate(request.body);
} catch (error) {
Expand Down