From 20fd7f82b15724ffcb555052793cedce2fe0527c Mon Sep 17 00:00:00 2001 From: James Gowdy Date: Tue, 1 Oct 2024 09:41:40 +0100 Subject: [PATCH 1/4] [ML] Various fixes for code scanning alert issues --- .../ml/nested_property/src/set_nested_property.test.ts | 4 ++++ x-pack/packages/ml/nested_property/src/set_nested_property.ts | 2 +- x-pack/plugins/ml/server/saved_objects/service.ts | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts b/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts index 43996f603ffa0..a8c1316da21cd 100644 --- a/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts +++ b/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts @@ -68,5 +68,9 @@ describe('object_utils', () => { const test11 = setNestedProperty(getFalseyObject(), 'the.other_nested.value', 'update'); expect(test11.the.other_nested.value).toBe('update'); + + const test12 = setNestedProperty(getTestObj(), 'the.__proto__', 'update'); + expect(test12.the).toBe('update'); + expect(test12.the.__proto__.update).toBe(undefined); }); }); diff --git a/x-pack/packages/ml/nested_property/src/set_nested_property.ts b/x-pack/packages/ml/nested_property/src/set_nested_property.ts index b963983cb16ab..3e6f18670bb88 100644 --- a/x-pack/packages/ml/nested_property/src/set_nested_property.ts +++ b/x-pack/packages/ml/nested_property/src/set_nested_property.ts @@ -7,7 +7,7 @@ export const setNestedProperty = (obj: Record, accessor: string, value: any) => { let ref = obj; - const accessors = accessor.split('.'); + const accessors = accessor.split('.').filter((a) => a !== '__proto__'); const len = accessors.length; for (let i = 0; i < len - 1; i++) { const attribute = accessors[i]; diff --git a/x-pack/plugins/ml/server/saved_objects/service.ts b/x-pack/plugins/ml/server/saved_objects/service.ts index e6c32f2bc6531..3e0f81a8ba13b 100644 --- a/x-pack/plugins/ml/server/saved_objects/service.ts +++ b/x-pack/plugins/ml/server/saved_objects/service.ts @@ -328,7 +328,7 @@ export function mlSavedObjectServiceFactory( if (id.match('\\*') === null) { return jobIds.includes(id); } - const regex = new RegExp(id.replace('*', '.*')); + const regex = new RegExp(id.replaceAll('*', '.*')); return jobIds.some((jId) => typeof jId === 'string' && regex.exec(jId)); }); } @@ -640,7 +640,7 @@ export function mlSavedObjectServiceFactory( if (id.match('\\*') === null) { return modelIds.includes(id); } - const regex = new RegExp(id.replace('*', '.*')); + const regex = new RegExp(id.replaceAll('*', '.*')); return modelIds.some((jId) => typeof jId === 'string' && regex.exec(jId)); }); } From 1534834bc85b00bbc23c066223d08ecddfb273e5 Mon Sep 17 00:00:00 2001 From: James Gowdy Date: Tue, 1 Oct 2024 13:49:31 +0100 Subject: [PATCH 2/4] adding check for prototype --- .../ml/nested_property/src/set_nested_property.test.ts | 4 ++++ x-pack/packages/ml/nested_property/src/set_nested_property.ts | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts b/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts index a8c1316da21cd..180454d55c457 100644 --- a/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts +++ b/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts @@ -72,5 +72,9 @@ describe('object_utils', () => { const test12 = setNestedProperty(getTestObj(), 'the.__proto__', 'update'); expect(test12.the).toBe('update'); expect(test12.the.__proto__.update).toBe(undefined); + + const test13 = setNestedProperty(getTestObj(), 'the.prototype', 'update'); + expect(test13.the).toBe('update'); + expect(test13.the.prototype.update).toBe(undefined); }); }); diff --git a/x-pack/packages/ml/nested_property/src/set_nested_property.ts b/x-pack/packages/ml/nested_property/src/set_nested_property.ts index 3e6f18670bb88..cd760fa638d1d 100644 --- a/x-pack/packages/ml/nested_property/src/set_nested_property.ts +++ b/x-pack/packages/ml/nested_property/src/set_nested_property.ts @@ -7,7 +7,7 @@ export const setNestedProperty = (obj: Record, accessor: string, value: any) => { let ref = obj; - const accessors = accessor.split('.').filter((a) => a !== '__proto__'); + const accessors = accessor.split('.').filter((a) => a !== '__proto__' && a !== 'prototype'); const len = accessors.length; for (let i = 0; i < len - 1; i++) { const attribute = accessors[i]; From 70bb748fae66cc470538569d4d7dfca5ec68bb98 Mon Sep 17 00:00:00 2001 From: James Gowdy Date: Tue, 1 Oct 2024 13:55:59 +0100 Subject: [PATCH 3/4] fixing test --- .../packages/ml/nested_property/src/set_nested_property.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts b/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts index 180454d55c457..eb28202d7672d 100644 --- a/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts +++ b/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts @@ -75,6 +75,6 @@ describe('object_utils', () => { const test13 = setNestedProperty(getTestObj(), 'the.prototype', 'update'); expect(test13.the).toBe('update'); - expect(test13.the.prototype.update).toBe(undefined); + expect(test13.the.prototype?.update).toBe(undefined); }); }); From 734ae8695c2579b22376af92bc02aa4a501dfc85 Mon Sep 17 00:00:00 2001 From: James Gowdy Date: Tue, 1 Oct 2024 14:43:45 +0100 Subject: [PATCH 4/4] updating to throw error --- .../src/set_nested_property.test.ts | 16 +++++++++------- .../nested_property/src/set_nested_property.ts | 8 +++++++- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts b/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts index eb28202d7672d..963b0611197db 100644 --- a/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts +++ b/x-pack/packages/ml/nested_property/src/set_nested_property.test.ts @@ -69,12 +69,14 @@ describe('object_utils', () => { const test11 = setNestedProperty(getFalseyObject(), 'the.other_nested.value', 'update'); expect(test11.the.other_nested.value).toBe('update'); - const test12 = setNestedProperty(getTestObj(), 'the.__proto__', 'update'); - expect(test12.the).toBe('update'); - expect(test12.the.__proto__.update).toBe(undefined); - - const test13 = setNestedProperty(getTestObj(), 'the.prototype', 'update'); - expect(test13.the).toBe('update'); - expect(test13.the.prototype?.update).toBe(undefined); + expect(() => { + setNestedProperty(getTestObj(), 'the.__proto__', 'update'); + }).toThrow('Invalid accessor'); + expect(() => { + setNestedProperty(getTestObj(), 'the.prototype', 'update'); + }).toThrow('Invalid accessor'); + expect(() => { + setNestedProperty(getTestObj(), 'the.constructor', 'update'); + }).toThrow('Invalid accessor'); }); }); diff --git a/x-pack/packages/ml/nested_property/src/set_nested_property.ts b/x-pack/packages/ml/nested_property/src/set_nested_property.ts index cd760fa638d1d..6c692cb3a0a08 100644 --- a/x-pack/packages/ml/nested_property/src/set_nested_property.ts +++ b/x-pack/packages/ml/nested_property/src/set_nested_property.ts @@ -5,9 +5,15 @@ * 2.0. */ +const INVALID_ACCESSORS = ['__proto__', 'prototype', 'constructor']; + export const setNestedProperty = (obj: Record, accessor: string, value: any) => { let ref = obj; - const accessors = accessor.split('.').filter((a) => a !== '__proto__' && a !== 'prototype'); + const accessors = accessor.split('.'); + if (accessors.some((a) => INVALID_ACCESSORS.includes(a))) { + throw new Error('Invalid accessor'); + } + const len = accessors.length; for (let i = 0; i < len - 1; i++) { const attribute = accessors[i];