[Defend workflows] Stop spreading whole request to ES dsl (#162116)

2025-04-23 17:28:26 -04:00 · 2023-07-19 09:58:45 +02:00 · 2023-07-19 09:58:45 +02:00 · 9c7dda0b90
commit 9c7dda0b90
parent c472fb018b
1 changed files with 15 additions and 2 deletions
--- a/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts
+++ b/x-pack/plugins/osquery/server/search_strategy/osquery/index.ts
@ -39,7 +39,20 @@ export const osquerySearchStrategyProvider = <T extends FactoryQueryTypes>(
        })
      ).pipe(
        mergeMap((exists) => {
-          const dsl = queryFactory.buildDsl({ ...request, componentTemplateExists: exists });
+          const strictRequest = {
+            factoryQueryType: request.factoryQueryType,
+            filterQuery: request.filterQuery,
+            ...('aggregations' in request ? { aggregations: request.aggregations } : {}),
+            ...('pagination' in request ? { pagination: request.pagination } : {}),
+            ...('sort' in request ? { sort: request.sort } : {}),
+            ...('actionId' in request ? { actionId: request.actionId } : {}),
+            ...('agentId' in request ? { agentId: request.agentId } : {}),
+          };
+
+          const dsl = queryFactory.buildDsl({
+            ...strictRequest,
+            componentTemplateExists: exists,
+          } as StrategyRequestType<T>);
          // use internal user for searching .fleet* indices
          es =
            dsl.index?.includes('fleet') || dsl.index?.includes('logs-osquery_manager.action')
@ -48,7 +61,7 @@ export const osquerySearchStrategyProvider = <T extends FactoryQueryTypes>(

          return es.search(
            {
-              ...request,
+              ...strictRequest,
              params: dsl,
            },
            options,