github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-27 18:51:07 -04:00
Code Issues Projects Releases Packages Wiki Activity

[SecuritySolution] Fix the error where the fork branch was inserted at the end of the query (#225227)

Browse source 
## Summary

Fix the FORK removal logic to insert the branch in the correct position
when only one FORK branch is valid.

### How to reproduce it
* Start empty kibana
* Generate data with resolve_generator `node
x-pack/solutions/security/plugins/security_solution/scripts/endpoint/resolver_generator.js`
* Go to "Privileged user monitoring" page and add some privileged users
* On the Dashboard page, scroll down to "Privileged user activity" and
click the "Authentications" tab
* It should display "No results found" instead of an error

### Before fix
![Screenshot 2025-06-25 at 09 16
51](https://github.com/user-attachments/assets/3fe0e9c2-7ab9-4d31-8380-10ce09683d1c)


### After fix
![Screenshot 2025-06-25 at 10 25
15](https://github.com/user-attachments/assets/cc220d66-1f53-4ac4-9615-278784db36ef)

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.


- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
This commit is contained in:
Pablo Machado 2025-06-26 13:12:15 +02:00 committed by GitHub
parent b143c8448b
commit 33a0f44c8d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 36 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

43
x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/privileged_user_monitoring/queries/helper.test.ts
View file

@ -79,6 +79,33 @@ describe('removeInvalidForkBranchesFromESQL', () => {
`);
});
it('should remove fork and insert valid branch into the right position', () => {
const esql = `
FROM test-index
| EVAL new_field_1 = foo
| EVAL new_field_2 = foo
| FORK
(
EVAL new_field_3 = foo
| EVAL new_field_4 = foo
) (
WHERE not_a_field IS NULL
)
| EVAL new_field_5 = foo
| EVAL new_field_6 = foo`;
expect(esql).not.toBe(undefined);
expect(removeInvalidForkBranchesFromESQL(fields, esql)).toMatchInlineSnapshot(`
"FROM test-index
| EVAL new_field_1 = foo
| EVAL new_field_2 = foo
| EVAL new_field_3 = foo
| EVAL new_field_4 = foo
| EVAL new_field_5 = foo
| EVAL new_field_6 = foo"
`);
});
it('should remove invalid branches and return FORK query if multiple valid branches exist', () => {
const esql =
'FROM test-index | FORK (WHERE foo IS NULL) (WHERE bar IS NULL) (WHERE not_a_field IS NULL)';
@ -104,15 +131,13 @@ describe('removeInvalidForkBranchesFromESQL', () => {
`);
});
// Fix The ESQL walker doesn't enter the sort "order" node for some reason
// This scenario will cause an error if the query sorts by a invalid field that was not present anywhere else
// it('should remove fork if the invalid field is present inside a SORT command with order', () => {
// const esql = 'FROM test-index | FORK (SORT foo) (SORT not_a_field ASC)';
// expect(removeInvalidForkBranchesFromESQL(fields, esql)).toMatchInlineSnapshot(`
// "FROM test-index
// | WHERE foo IS NULL"
// `);
// });
it('should remove fork if the invalid field is present inside a SORT command with order', () => {
const esql = 'FROM test-index | FORK (SORT foo) (SORT not_a_field ASC)';
expect(removeInvalidForkBranchesFromESQL(fields, esql)).toMatchInlineSnapshot(`
"FROM test-index
| SORT foo"
`);
});
it('should remove fork if the invalid field is present inside a WHERE command', () => {
const esql = 'FROM test-index | FORK (WHERE foo IS NULL) (WHERE not_a_field IS NULL)';

4
x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/privileged_user_monitoring/queries/helpers.ts
View file

@ -87,10 +87,10 @@ function moveForkBranchToToplevel(
forkCommand: ESQLCommand<'fork'>,
validBranch: ESQLAstQueryExpression
) {
mutate.generic.commands.remove(root, forkCommand);
// Find where the fork index is to insert the valid branch
const forkIndex = root.commands.findIndex((cmd) => cmd.name === 'fork');
mutate.generic.commands.remove(root, forkCommand);
validBranch.commands.reverse().forEach((command) => {
mutate.generic.commands.insert(root, command, forkIndex);
});