Np migration tsvb route validation #51850
Conversation
TinaHeiligers
added
Feature:TSVB
|
Pinging @elastic/kibana-app (Team:KibanaApp) |
💔 Build Failed |
…TSVB_route_validation
…TSVB_route_validation
…TSVB_route_validation
…TSVB_route_validation
|
Jenkins, test this. |
💔 Build Failed |
💚 Build Succeeded |
|
I clicked through all of the tabs and played around with all of the settings, but still not sure whether all cases are covered. This should be reviewed by as many eyes as possible. @legrego @timroes was thinking to run this validation in a non-blocking mode for a minor and report failures via telemetry to make sure we didn't forget to cover some cases. That would mean however that we wouldn't have in-depth validation for 7.6. What do you think? |
@flash1293 @timroes @legrego I was thinking that maybe we could do the 'soft' validation by allowing the default payload validation that checks for prototype pollution to run and moving the custom validator into the handler with a soft error. That way, we still guard against malicious payloads but retain the custom one for final migration efforts. |
|
@TinaHeiligers What exactly do you mean by soft error? Just logging the validation failure (and maybe reporting it as I suggested above)? |
| .items(queryObject) | ||
| .allow(null) | ||
| .required(), | ||
| state: Joi.object({}).required(), |
There was a problem hiding this comment.
I did a quick search of the code, and it looks like the only expected property here is sort:
Are you aware of others? If not, we should be explicit about the set of allowed keys.
There was a problem hiding this comment.
Thanks @legrego , it was a huge payload to unpack and some of these items may have fallen through the cracks.
There was a problem hiding this comment.
Added it to the validation.
There was a problem hiding this comment.
@TinaHeiligers it was a massive payload -- thanks so much for taking care of this!
@flash1293 thanks!
|
@flash1293 what I meant was the same as you suggested. |
src/legacy/core_plugins/vis_type_timeseries/public/request_handler.js
Outdated
Show resolved
Hide resolved
| @@ -28,6 +28,8 @@ import { visDataRoutes } from './routes/vis'; | |||
| import { SearchStrategiesRegister } from './lib/search_strategies/search_strategies_register'; | |||
| // @ts-ignore | |||
| import { getVisData } from './lib/get_vis_data'; | |||
| import { UsageCollectionSetup } from '../../../../plugins/usage_collection/server'; | |||
| import { ValidationTelemetryService } from './validation_telemetry/validation_telemetry_service'; | |||
|
|
|||
| // TODO: Remove as CoreSetup is completed. | |||
| export interface CustomCoreSetup { | |||
There was a problem hiding this comment.
Related to one of previous comment. Not sure that we need it
…_route_validation
💔 Build FailedHistory
To update your PR or re-run it, just comment with: |
|
Updated behavior: No config flag, but extend the error message in the logs with the saved object id of the visualization that caused the error: cc @timroes |
| ignore: [404], | ||
| }); | ||
| return { | ||
| failed_validations: get( |
There was a problem hiding this comment.
Optional chainging and nullish coallescing for the win :-)
| visState: VisState, | ||
| schemas: Schemas, | ||
| uiState: any, | ||
| meta?: { savedObjectId?: string } |
There was a problem hiding this comment.
Maybe we want to make a TODO here or directly create an issue, that we remove this again once we enable hard validation?
|
@elasticmachine merge upstream |
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
* upstream/master: (26 commits) Take page offset into account too (elastic#54567) [APM] Support error.{log,exception}.stacktrace.classname (elastic#54577) Np migration tsvb route validation (elastic#51850) [ML] MML calculator enhancements for multi-metric job wizard (elastic#54573) [SIEM] Fix Inspect query 'request timestamp' value changes when curso… (elastic#54223) Fix chromeless NP apps not using full page width (elastic#54550) Remove extraneous public import to prevent failing Kibana startup (elastic#54676) [Uptime] Temporarily skip flakey tests (elastic#54675) Skip failing uptime tests Create UI for alerting and actions plugin (elastic#48959) [dev/build/sass] build stylesheets for disabled plugins too (elastic#54654) [SIEM] Use bulk actions API when updating or deleting rules (elastic#54521) Support "Deprecated" label in advanced settings (elastic#54539) [Maps] add text halo color and width style properties (elastic#53827) Service Map Data API at Runtime (elastic#54027) [SIEM] Detection Engine Create Rule Design Review #1 (elastic#54442) Skip flaky test [Canvas] Enable Embeddable maps (elastic#53971) [SIEM][Detection Engine] Increases the number or rules you can view on a single page (elastic#54628) uiSettings - use validation field for image field maxSize (elastic#54522) ...
Summary
Relates to https://github.com/elastic/kibana-team/issues/166.
Adds payload validation using Joi to the TSVB post route
/api/metrics/vis/data.Checklist
Use
strikethroughsto remove checklist items you don't feel are applicable to this PR.- [ ] This was checked for cross-browser compatibility, including a check against IE11- [ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support- [ ] Documentation was added for features that require explanation or tutorials- [ ] Unit or functional tests were updated or added to match the most common scenarios- [ ] This was checked for keyboard-only and screenreader accessibilityFor maintainers
- [ ] This includes a feature addition or change that requires a release note and was labeled appropriately