-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Lists] Escape quotes in list ids and quote the id in KQL query #93176
Merged
Merged
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
51d71ae
Escape quotes in list ids and quote the id in KQL query
marshallmain b064b7a
Remove decodeURIComponent because too many KQL queries don't handle q…
marshallmain d926295
Add quotes to user supplied IDs for other KQL queries
marshallmain 4621d36
Merge branch 'master' into escape-list-ids
kibanamachine File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 10 additions & 0 deletions
10
x-pack/plugins/lists/server/services/utils/escape_query.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
export const escapeQuotes = (str: string): string => { | ||
return str.replace(/[\\"]/g, '\\$&'); | ||
}; | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -63,6 +63,28 @@ export default ({ getService }: FtrProviderContext) => { | |
expect(bodyToCompare).to.eql(getListResponseMockWithoutAutoGeneratedValues()); | ||
}); | ||
|
||
it('should delete a single list with a list id containing non-alphanumeric characters', async () => { | ||
// create a list | ||
const id = `some""-list-id"(1)`; | ||
await supertest | ||
.post(LIST_URL) | ||
.set('kbn-xsrf', 'true') | ||
.send({ | ||
...getCreateMinimalListSchemaMock(), | ||
id, | ||
}) | ||
.expect(200); | ||
|
||
// delete the list by its list id | ||
const { body } = await supertest | ||
.delete(`${LIST_URL}?id=${id}`) | ||
.set('kbn-xsrf', 'true') | ||
.expect(200); | ||
|
||
const bodyToCompare = removeListServerGeneratedProperties(body); | ||
expect(bodyToCompare).to.eql(getListResponseMockWithoutAutoGeneratedValues()); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nice! Thanks for the e2e test here. |
||
}); | ||
|
||
it('should delete a single list using an auto generated id', async () => { | ||
// add a list | ||
const { body: bodyWithCreatedList } = await supertest | ||
|
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this the same as this one?
x-pack/plugins/data_enhanced/public/autocomplete/providers/kql_query_suggestion/lib/escape_kuery.ts
That looks like it only works client side and not server and isn't part of a common section for usage in both areas which is a bummer.
Wish it was in one common spot. I'm fine with this duplicated here though. I would just maybe? copy maybe over their tests and put a note that there is a duplication between the two in case someone sees them deviate later/change.
The other tests above and the e2e is more than good enough though, wouldn't split hairs on that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep it's the same function, definitely would like to have it in a common place along with the other escaping utilities (and maybe a more robust parameterization scheme like Ross suggested above). For now though it seems a simple enough function to just do the ol' copy paste.