Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] [Exceptions] PUT api allows empty item_id but fails validation when fetching the associated list #191315

Closed
dhurley14 opened this issue Aug 26, 2024 · 4 comments
Closed

[Security Solution] [Exceptions] PUT api allows empty item_id but fails validation when fetching the associated list #191315

dhurley14 opened this issue Aug 26, 2024 · 4 comments
Assignees
@vitaliidm
Labels
bug Fixes for quality problems that affect the customer experience fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area v8.16.0

Comments

@dhurley14
Copy link
Contributor

dhurley14 commented Aug 26, 2024
edited
Loading

Kibana version:
8.15.0 and below

Describe the bug:
If a customer updates an exception item using the PUT api and consequently sets the item_id to an empty string "", subsequent fetching of that exception item, or fetching the list the item is associated with, will fail validation and result in the UI displaying a 500 error toast.

Exceptions list view (exception lists are visible but toast appears):

Image

Exception list details (list items are not rendered and toast appears):

Image

Steps to reproduce:

  1. Initialize detection engine (visit detection rules page)
  2. Create a shared exception list
  3. Create exception item
  4. Follow the steps outlined below within Kibana Dev Tools
# find the list id
GET kbn:/api/exception_lists/_find

# find the list items
GET kbn:/api/exception_lists/items/_find?list_id=my-list-uuid

# Manipulate item_id to be the empty string for the given item
PUT kbn:/api/exception_lists/items
{
  "description": "Exception list item",
  "entries": [
    {
      "field": "host.foo",
      "operator": "included",
      "type": "exists"
    }
  ],
  "id": "my-item-uuid",
  "item_id": "", <---- empty list_id
  "name": "Test",
  "namespace_type": "single",
  "type": "simple"
}

Now when we try to fetch the exception list that contains the item with the empty item_id we will see the validation failure

# try to fetch the exception list again
GET kbn:/api/exception_lists/items/_find?list_id=my-list-uuid

which returns the validation error

{
  "message": "Invalid value \"\" supplied to \"data,item_id\"",
  "status_code": 500
}

Expected behavior:
Prevent the empty string from being accepted in the PUT route. A null value for item_id is disallowed in the PUT route and I believe the empty string should be treated similarly.
@dhurley14 dhurley14 added the bug Fixes for quality problems that affect the customer experience label Aug 26, 2024
@botelastic botelastic bot added the needs-team Issues missing a team label label Aug 26, 2024
@dhurley14
Copy link
Contributor Author

This is fixed on main by the changes in this PR: #185951 so any fixes for 8.15.x would be committed just for that release branch and can be skipped in main.

@dhurley14 dhurley14 added Team:Detection Engine Security Solution Detection Engine Area and removed needs-team Issues missing a team label labels Aug 26, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-engine (Team:Detection Engine)

@vitaliidm vitaliidm self-assigned this Sep 26, 2024
This was referenced Sep 26, 2024
Merged
Merged
@vitaliidm
Copy link
Contributor

@dhurley14

I created 2 PRs

  1. to fix it in 8.15, as you suggested - [Security Solution][Detection Engine] fixes empty item_id in exception item update request #194172
  2. for 8.16, to fix schema itself in main. Because it is used in code.

I needed 2 PRs, so 8.15 could be tested before PR to main merged and backport created

@yctercero yctercero added the impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. label Sep 28, 2024
vitaliidm added a commit that referenced this issue Sep 30, 2024
@vitaliidm
[Security Solution][Detection Engine] fixes empty item_id in exceptio…
49661a3 
…n item update request schema (#194175)

## Summary

- fixes schema for `updateExceptionListItemSchema` , that led to [error
in 8.15](#191315)

8.15 is fixed in #194172, in
separate PR, since 8.16+ error in not reproducible.
But schema still is not correct. So this PR just fixes schema
vitaliidm added a commit that referenced this issue Sep 30, 2024
@vitaliidm
[Security Solution][Detection Engine] fixes empty item_id in exceptio…
fb1c9e3 
…n item update request (#194172)

## Summary

 - fixes #191315 in 8.15

When trying to update exception item with empty item_id, it will return
error


```JSON
{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "[request body]: Invalid value \"\" supplied to \"item_id\""
}
```

<img width="2493" alt="Screenshot 2024-09-26 at 16 05 51"
src="https://github.com/user-attachments/assets/f68bfe94-4a4f-4d44-8255-7ae7fda8563e">


8.16(main) was fixed earlier:
#191315 (comment)
@vitaliidm
Copy link
Contributor

fixed in #194172

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vitaliidm vitaliidm

Labels
bug Fixes for quality problems that affect the customer experience fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area v8.16.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dhurley14 @yctercero @elasticmachine @vitaliidm