Enable prototype pollution protection in TSVB #78908
Assignees
Labels
Feature:TSVB
TSVB (Time Series Visual Builder)
Team:Visualizations
Visualization editors, elastic-charts and infrastructure
Comments
flash1293
added
Feature:TSVB
|
Pinging @elastic/kibana-app (Team:KibanaApp) |
|
cc @timroes |
|
@joshdover do you think it would make sense to export this method from core, so every HTTP service could use it instead of copying that code over? |
|
I guess in theory we want all routes to use strict validation schemes. But that's not always possible (e.g. when piping through Elasticsearch dsl) - for these cases one approach would be to introduce a new option as part of |
8 tasks
DianaDerevyankina
added a commit
to DianaDerevyankina/kibana
that referenced
this issue
Dec 15, 2020
2 tasks
alexwizp
pushed a commit
that referenced
this issue
Dec 31, 2020
* Enable prototype pollution protection in TSVB Closes #78908 * Update Dock API Changes * Replace logging failed in validateObject validation with 400 error * Move validateObject to kbn-std package and add a description * Update Doc API Changes * Rename validateObject function to ensureNoUnsafeProperties * Rename other validateObject occurrences Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
alexwizp
pushed a commit
to alexwizp/kibana
that referenced
this issue
Dec 31, 2020
* Enable prototype pollution protection in TSVB Closes elastic#78908 * Update Dock API Changes * Replace logging failed in validateObject validation with 400 error * Move validateObject to kbn-std package and add a description * Update Doc API Changes * Rename validateObject function to ensureNoUnsafeProperties * Rename other validateObject occurrences Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
alexwizp
added a commit
that referenced
this issue
Dec 31, 2020
* Enable prototype pollution protection in TSVB Closes #78908 * Update Dock API Changes * Replace logging failed in validateObject validation with 400 error * Move validateObject to kbn-std package and add a description * Update Doc API Changes * Rename validateObject function to ensureNoUnsafeProperties * Rename other validateObject occurrences Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Diana Derevyankina <54894989+DziyanaDzeraviankina@users.noreply.github.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently the TSVB endpoint in
kibana/src/plugins/vis_type_timeseries/server/routes/vis.ts
Line 43 in 75a1459
To put some protection in place, the same logic as used in core should be applied, failing the request if some known malicious keys are specified somewhere in the request object:
kibana/src/core/server/http/prototype_pollution/validate_object.ts
Line 34 in 1c415e0
We should still strive to complete the strict schema to cover all possible configurations in the long term.
Tasks:
validateObjecthelper method from core so it's usable in plugins as wellThe text was updated successfully, but these errors were encountered: