-
Notifications
You must be signed in to change notification settings - Fork 918
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Patch] Graphite SSRF patch #392
Conversation
✅ DCO Check Passed 63598eb |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have readme or doc for all supported config/settings. If not, could we add the example config for (blocklist) into opensearch_dashboards.yml
will do |
✅ DCO Check Passed 63598eb |
src/plugins/vis_type_timeline/server/series_functions/graphite.js
Outdated
Show resolved
Hide resolved
src/plugins/vis_type_timeline/server/series_functions/graphite.js
Outdated
Show resolved
Hide resolved
src/plugins/vis_type_timeline/server/series_functions/graphite.js
Outdated
Show resolved
Hide resolved
src/plugins/vis_type_timeline/server/series_functions/graphite.js
Outdated
Show resolved
Hide resolved
src/plugins/vis_type_timeline/server/series_functions/graphite.test.js
Outdated
Show resolved
Hide resolved
src/plugins/vis_type_timeline/server/series_functions/graphite.test.js
Outdated
Show resolved
Hide resolved
src/plugins/vis_type_timeline/server/series_functions/graphite.test.js
Outdated
Show resolved
Hide resolved
✅ DCO Check Passed 39f183f |
src/plugins/vis_type_timeline/server/series_functions/graphite.js
Outdated
Show resolved
Hide resolved
src/plugins/vis_type_timeline/server/series_functions/graphite.js
Outdated
Show resolved
Hide resolved
src/plugins/vis_type_timeline/server/series_functions/graphite.test.js
Outdated
Show resolved
Hide resolved
src/plugins/vis_type_timeline/server/series_functions/graphite.js
Outdated
Show resolved
Hide resolved
✅ DCO Check Passed 36a6a1c |
✅ DCO Check Passed 68b0db0 |
I agree. We should have a description in the |
✅ DCO Check Passed 461ef9a |
✅ DCO Check Passed ec28338 |
✅ DCO Check Passed 504c96c |
Signed-off-by: Anan Zhuang <[email protected]>
Signed-off-by: Anan Zhuang <[email protected]>
Signed-off-by: Anan Zhuang <[email protected]>
Signed-off-by: Anan Zhuang <[email protected]>
Signed-off-by: Anan Zhuang <[email protected]>
Signed-off-by: Anan Zhuang <[email protected]>
src/plugins/vis_type_timeline/server/series_functions/graphite_helper.test.js
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only comment related to typo needs to be addressed, some nitpicks but works nicely!
I specifically ensured the backwards compatibility was still working as expected. Nothing to worry about there!
Thanks!
src/plugins/vis_type_timeline/server/series_functions/graphite.js
Outdated
Show resolved
Hide resolved
src/plugins/vis_type_timeline/server/series_functions/graphite.test.js
Outdated
Show resolved
Hide resolved
src/plugins/vis_type_timeline/server/series_functions/graphite_helper.js
Outdated
Show resolved
Hide resolved
src/plugins/vis_type_timeline/server/series_functions/graphite_helper.js
Outdated
Show resolved
Hide resolved
Signed-off-by: Anan Zhuang <[email protected]>
✅ DCO Check Passed def813d |
Signed-off-by: Anan Zhuang <[email protected]>
✅ DCO Check Passed 1036bf2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Thanks!
* ssrf patch Signed-off-by: Anan Zhuang <[email protected]> * revise based on PR comments Signed-off-by: Anan Zhuang <[email protected]> * revise unit test and comments Signed-off-by: Anan Zhuang <[email protected]> * fix lint issue Signed-off-by: Anan Zhuang <[email protected]> * add helper Signed-off-by: Anan Zhuang <[email protected]> * fix bug Signed-off-by: Anan Zhuang <[email protected]> * fix comments Signed-off-by: Anan Zhuang <[email protected]> * fix frontend display. helper shouldnot show in visualize Signed-off-by: Anan Zhuang <[email protected]>
* ssrf patch Signed-off-by: Anan Zhuang <[email protected]> * revise based on PR comments Signed-off-by: Anan Zhuang <[email protected]> * revise unit test and comments Signed-off-by: Anan Zhuang <[email protected]> * fix lint issue Signed-off-by: Anan Zhuang <[email protected]> * add helper Signed-off-by: Anan Zhuang <[email protected]> * fix bug Signed-off-by: Anan Zhuang <[email protected]> * fix comments Signed-off-by: Anan Zhuang <[email protected]> * fix frontend display. helper shouldnot show in visualize Signed-off-by: Anan Zhuang <[email protected]>
Signed-off-by: Anan Zhuang [email protected]
Description
This PR is an implementation of ssrf patch. This patch allows customers to choose allowlist (
vis_type_timeline.graphiteUrls
) or blocklist (vis_type_timeline.blocklist
) or both to verify its users' graphite url inputs. Customers can simply enable or disable these settings in the opensearch_dashboards.yml file to control what method they would like to apply for the safety check.Only allowlist
timeline:graphite.url
: the first url in the allowlist is shown as the default setting in the text box. For example,vis_type_timeline.graphiteUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite']
Only blocklist
timeline:graphite.url
: empty text box. For example,vis_type_timeline.blocklist: ['127.0.0.0/8']
Both blocklist and allowlist
timeline:graphite.url
: the first url in the allowlist is shown as the default setting in the text box. For example,vis_type_timeline.graphiteUrls: ['https://www.hostedgraphite.com/UID/ACCESS_KEY/graphite']
andvis_type_timeline.blocklist: ['127.0.0.0/8']
Neither blocklist nor allowlist
timeline:graphite.url
: empty text boxNotice
This PR doesn't implement the proposed combined UI component which is a text box that allows for a drop down menu as well due to the following considerations:
timeline:graphite.url
should be a place for user to enter his/her own url to get access check. It should not expose other users' urls.Therefore, a simple text box is enough for user to input his/her own graphite url. If this part needs further discussion, a separate PR could be opened since this would not affect security and would just be a UI component change.
Issues Resolved
#331
Instruction to recreate the issue
vis_type_timeline.graphiteAllowedUrls
andvis_type_timeline.graphiteBlockedIPs
(pick one or both) inopensearch_dashboards.yml
in config folderstack Management
Advanced Settings
and findTimeline
sectionGraphite URL
text boxvisualize
create visualization
then clicktimeline
Timeline expression
usegraphite
function:.graphite(1)
(1 is the passed parameter. just an example)Check List