-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Np migration tsvb route validation #51850
Np migration tsvb route validation #51850
Conversation
Pinging @elastic/kibana-app (Team:KibanaApp) |
💔 Build Failed |
…TSVB_route_validation
…TSVB_route_validation
…TSVB_route_validation
…TSVB_route_validation
Jenkins, test this. |
💔 Build Failed |
💚 Build Succeeded |
I clicked through all of the tabs and played around with all of the settings, but still not sure whether all cases are covered. This should be reviewed by as many eyes as possible. @legrego @timroes was thinking to run this validation in a non-blocking mode for a minor and report failures via telemetry to make sure we didn't forget to cover some cases. That would mean however that we wouldn't have in-depth validation for 7.6. What do you think? |
@flash1293 @timroes @legrego I was thinking that maybe we could do the 'soft' validation by allowing the default payload validation that checks for prototype pollution to run and moving the custom validator into the handler with a soft error. That way, we still guard against malicious payloads but retain the custom one for final migration efforts. |
@TinaHeiligers What exactly do you mean by soft error? Just logging the validation failure (and maybe reporting it as I suggested above)? |
.items(queryObject) | ||
.allow(null) | ||
.required(), | ||
state: Joi.object({}).required(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did a quick search of the code, and it looks like the only expected property here is sort
:
Line 28 in 5887526
const { sort } = req.payload.state; |
Are you aware of others? If not, we should be explicit about the set of allowed keys.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @legrego , it was a huge payload to unpack and some of these items may have fallen through the cracks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added it to the validation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@TinaHeiligers it was a massive payload -- thanks so much for taking care of this!
@flash1293 thanks!
@flash1293 what I meant was the same as you suggested. |
src/legacy/core_plugins/vis_type_timeseries/public/request_handler.js
Outdated
Show resolved
Hide resolved
@@ -28,6 +28,8 @@ import { visDataRoutes } from './routes/vis'; | |||
import { SearchStrategiesRegister } from './lib/search_strategies/search_strategies_register'; | |||
// @ts-ignore | |||
import { getVisData } from './lib/get_vis_data'; | |||
import { UsageCollectionSetup } from '../../../../plugins/usage_collection/server'; | |||
import { ValidationTelemetryService } from './validation_telemetry/validation_telemetry_service'; | |||
|
|||
// TODO: Remove as CoreSetup is completed. | |||
export interface CustomCoreSetup { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Related to one of previous comment. Not sure that we need it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please see comments above
…_route_validation
💔 Build FailedHistory
To update your PR or re-run it, just comment with: |
Updated behavior: No config flag, but extend the error message in the logs with the saved object id of the visualization that caused the error: cc @timroes |
ignore: [404], | ||
}); | ||
return { | ||
failed_validations: get( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Optional chainging and nullish coallescing for the win :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left one small code comment. Tested on Chrome Linux, checked that a modified request will show the warning and also trigger the counter to go up, checked in telemetry summary in advanced settings that counter is set properly. LGTM
visState: VisState, | ||
schemas: Schemas, | ||
uiState: any, | ||
meta?: { savedObjectId?: string } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we want to make a TODO here or directly create an issue, that we remove this again once we enable hard validation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@elasticmachine merge upstream |
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AppArch code changes LGTM.
* upstream/master: (26 commits) Take page offset into account too (elastic#54567) [APM] Support error.{log,exception}.stacktrace.classname (elastic#54577) Np migration tsvb route validation (elastic#51850) [ML] MML calculator enhancements for multi-metric job wizard (elastic#54573) [SIEM] Fix Inspect query 'request timestamp' value changes when curso… (elastic#54223) Fix chromeless NP apps not using full page width (elastic#54550) Remove extraneous public import to prevent failing Kibana startup (elastic#54676) [Uptime] Temporarily skip flakey tests (elastic#54675) Skip failing uptime tests Create UI for alerting and actions plugin (elastic#48959) [dev/build/sass] build stylesheets for disabled plugins too (elastic#54654) [SIEM] Use bulk actions API when updating or deleting rules (elastic#54521) Support "Deprecated" label in advanced settings (elastic#54539) [Maps] add text halo color and width style properties (elastic#53827) Service Map Data API at Runtime (elastic#54027) [SIEM] Detection Engine Create Rule Design Review #1 (elastic#54442) Skip flaky test [Canvas] Enable Embeddable maps (elastic#53971) [SIEM][Detection Engine] Increases the number or rules you can view on a single page (elastic#54628) uiSettings - use validation field for image field maxSize (elastic#54522) ...
Summary
Relates to https://github.com/elastic/kibana-team/issues/166.
Adds payload validation using Joi to the TSVB post route
/api/metrics/vis/data.
Checklist
Use
strikethroughsto remove checklist items you don't feel are applicable to this PR.- [ ] This was checked for cross-browser compatibility, including a check against IE11- [ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support- [ ] Documentation was added for features that require explanation or tutorials- [ ] Unit or functional tests were updated or added to match the most common scenarios- [ ] This was checked for keyboard-only and screenreader accessibilityFor maintainers
- [ ] This includes a feature addition or change that requires a release note and was labeled appropriately