-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Lists] Escape quotes in list ids and quote the id in KQL query #93176
Conversation
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
I wonder if there's an opportunity here to allow for parameters, like how SQL uses |
@rw-access yeah I was hoping to find something like that in Kibana already but didn't see it anywhere, doing my own escaping felt dangerous. The KQL parsing in general has a couple different areas where it could be improved, as it also generates sub-optimal queries when the KQL has many terms - each term creates a new level of nesting in the generated DSL, so you can hit nesting limits quickly. |
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
|
||
export const escapeQuotes = (str: string): string => { | ||
return str.replace(/[\\"]/g, '\\$&'); | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the same as this one?
x-pack/plugins/data_enhanced/public/autocomplete/providers/kql_query_suggestion/lib/escape_kuery.ts
That looks like it only works client side and not server and isn't part of a common section for usage in both areas which is a bummer.
Wish it was in one common spot. I'm fine with this duplicated here though. I would just maybe? copy maybe over their tests and put a note that there is a duplication between the two in case someone sees them deviate later/change.
The other tests above and the e2e is more than good enough though, wouldn't split hairs on that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep it's the same function, definitely would like to have it in a common place along with the other escaping utilities (and maybe a more robust parameterization scheme like Ross suggested above). For now though it seems a simple enough function to just do the ol' copy paste.
.expect(200); | ||
|
||
const bodyToCompare = removeListServerGeneratedProperties(body); | ||
expect(bodyToCompare).to.eql(getListResponseMockWithoutAutoGeneratedValues()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! Thanks for the e2e test here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
… in KQL query (elastic#93176) * Escape quotes in list ids and quote the id in KQL query * Remove decodeURIComponent because too many KQL queries don't handle quotes * Add quotes to user supplied IDs for other KQL queries Co-authored-by: Kibana Machine <[email protected]>
… in KQL query (elastic#93176) * Escape quotes in list ids and quote the id in KQL query * Remove decodeURIComponent because too many KQL queries don't handle quotes * Add quotes to user supplied IDs for other KQL queries Co-authored-by: Kibana Machine <[email protected]>
… in KQL query (#93176) (#93502) * Escape quotes in list ids and quote the id in KQL query * Remove decodeURIComponent because too many KQL queries don't handle quotes * Add quotes to user supplied IDs for other KQL queries Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
… in KQL query (#93176) (#93503) * Escape quotes in list ids and quote the id in KQL query * Remove decodeURIComponent because too many KQL queries don't handle quotes * Add quotes to user supplied IDs for other KQL queries Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
* master: (48 commits) Fix wrong import in data plugin causing 100kB bundle increase (elastic#93448) [Fleet] Correctly track install status of an integration (elastic#93464) Reviews data frame analytics UI text (elastic#93033) Display multiple copyable fields for process.args in resolver node detail panel (elastic#93280) [Security Solution][Detections] ML Popover overflow fix (elastic#93525) chore(NA): do not use execa on bazel workspace status update script (elastic#93532) Bump dependencies (elastic#93511) [dev/build_ts_refs] support disabling the ts-refs build completely (elastic#93529) [Security Solution] fix data provider cypress test (elastic#93465) Fix service map for All environment single service (elastic#93517) [Fleet] Fix package version comparaison in the UI (elastic#93498) [alerting] adds doc on JSON-expanded action variables and task manager max_workers (elastic#92720) [dev/build_ts_refs] ignore type checking failures when building ts refs (elastic#93473) [core-new-docs] Adds a dev-doc for core documentation (elastic#92976) remove opacity from maps legacy style (elastic#93456) [Security Solution][Lists] Escape quotes in list ids and quote the id in KQL query (elastic#93176) Revert "Make tests deterministic by providing unique timestamps (elastic#93350)" [Discover] Fix link from dashboard saved search to Discover (elastic#92937) update public api docs App Search - Polishing Analytics Views (elastic#92939) ...
Closes #86273
The value list ID was being inserted directly into the KQL filter without being escaped or surrounded by quotes, so special KQL characters in the ID would break the query generation. This PR encloses the IDs in quotes and adds simple escaping logic to the ID (replacing
"
with\"
) so IDs with quotes or other special characters won't break the KQL parsing.We should be on the lookout for other places where we generate KQL queries and insert values that could be user supplied.
Related: when importing value lists, the filename comes in URI encoded and we store it in this URI encoded form. Do we want to decode the URI here so that the filename will be stored in its original form (and also displayed in the original form on the UI)? I found this because quotes in the filename get URI encoded and never decoded if you import using the UI, whereas with the API you can create a list that has quotes in the list_id.
Checklist
Delete any items that are not applicable to this PR.
For maintainers