[Reporting] Add browser timezone validation (#141135)

* Add timezone validation to the request handler * Add timezone validation to the immediate search source export type
2025-04-24 17:59:23 -04:00 · 2022-09-23 09:19:12 +02:00 · 2022-09-23 09:19:12 +02:00 · a9908dd7eb
commit a9908dd7eb
parent 488f2cb05b
4 changed files with 48 additions and 3 deletions
--- a/x-pack/plugins/reporting/server/routes/generate/csv_searchsource_immediate.ts
+++ b/x-pack/plugins/reporting/server/routes/generate/csv_searchsource_immediate.ts
@ -5,6 +5,7 @@
 * 2.0.
 */

+import moment from 'moment';
 import { schema } from '@kbn/config-schema';
 import type { KibanaRequest, Logger } from '@kbn/core/server';
 import { incrementApiUsageCounter } from '..';
@ -13,7 +14,6 @@ import { CSV_SEARCHSOURCE_IMMEDIATE_TYPE } from '../../../common/constants';
 import { runTaskFnFactory } from '../../export_types/csv_searchsource_immediate/execute_job';
 import type { JobParamsDownloadCSV } from '../../export_types/csv_searchsource_immediate/types';
 import { PassThroughStream } from '../../lib';
-import type { BaseParams } from '../../types';
 import { authorizedUserPreRouting } from '../lib/authorized_user_pre_routing';
 import { RequestHandler } from '../lib/request_handler';

@ -55,7 +55,11 @@ export function registerGenerateCsvFromSavedObjectImmediate(
        body: schema.object({
          columns: schema.maybe(schema.arrayOf(schema.string())),
          searchSource: schema.object({}, { unknowns: 'allow' }),
-          browserTimezone: schema.string({ defaultValue: 'UTC' }),
+          browserTimezone: schema.string({
+            defaultValue: 'UTC',
+            validate: (value) =>
+              moment.tz.zone(value) ? undefined : `Invalid timezone "${typeof value}".`,
+          }),
          title: schema.string(),
          version: schema.maybe(schema.string()),
        }),
@ -76,7 +80,7 @@ export function registerGenerateCsvFromSavedObjectImmediate(
        const eventLog = reporting.getEventLogger({
          jobtype: CSV_SEARCHSOURCE_IMMEDIATE_TYPE,
          created_by: user && user.username,
-          payload: { browserTimezone: (req.params as BaseParams).browserTimezone },
+          payload: { browserTimezone: req.body.browserTimezone },
        });
        const logError = (error: Error) => {
          logger.error(error);
--- a/x-pack/plugins/reporting/server/routes/generate/integration_tests/generation_from_jobparams.test.ts
+++ b/x-pack/plugins/reporting/server/routes/generate/integration_tests/generation_from_jobparams.test.ts
@ -155,6 +155,20 @@ describe('POST /api/reporting/generate', () => {
      );
  });

+  it('returns 400 on invalid browser timezone', async () => {
+    registerJobGenerationRoutes(mockReportingCore, mockLogger);
+
+    await server.start();
+
+    await supertest(httpSetup.server.listener)
+      .post('/api/reporting/generate/printablePdf')
+      .send({ jobParams: rison.encode({ browserTimezone: 'America/Amsterdam', title: `abc` }) })
+      .expect(400)
+      .then(({ body }) =>
+        expect(body.message).toMatchInlineSnapshot(`"Invalid timezone \\"America/Amsterdam\\"."`)
+      );
+  });
+
  it('returns 500 if job handler throws an error', async () => {
    store.addReport = jest.fn().mockRejectedValue('silly');

--- a/x-pack/plugins/reporting/server/routes/lib/request_handler.test.ts
+++ b/x-pack/plugins/reporting/server/routes/lib/request_handler.test.ts
@ -173,6 +173,26 @@ describe('Handle request to generate', () => {
    `);
  });

+  test('disallows invalid browser timezone', async () => {
+    (reportingCore.getLicenseInfo as jest.Mock) = jest.fn(() => ({
+      csv_searchsource: {
+        enableLinks: false,
+        message: `seeing this means the license isn't supported`,
+      },
+    }));
+
+    expect(
+      await requestHandler.handleGenerateRequest('csv_searchsource', {
+        ...mockJobParams,
+        browserTimezone: 'America/Amsterdam',
+      })
+    ).toMatchInlineSnapshot(`
+        Object {
+          "body": "seeing this means the license isn't supported",
+        }
+    `);
+  });
+
  test('generates the download path', async () => {
    const response = (await requestHandler.handleGenerateRequest(
      'csv_searchsource',
--- a/x-pack/plugins/reporting/server/routes/lib/request_handler.ts
+++ b/x-pack/plugins/reporting/server/routes/lib/request_handler.ts
@ -5,6 +5,7 @@
 * 2.0.
 */

+import moment from 'moment';
 import Boom from '@hapi/boom';
 import { i18n } from '@kbn/i18n';
 import type { KibanaRequest, KibanaResponseFactory, Logger } from '@kbn/core/server';
@ -122,6 +123,12 @@ export class RequestHandler {
      return this.res.forbidden({ body: licenseResults.message });
    }

+    if (jobParams.browserTimezone && !moment.tz.zone(jobParams.browserTimezone)) {
+      return this.res.badRequest({
+        body: `Invalid timezone "${jobParams.browserTimezone ?? ''}".`,
+      });
+    }
+
    try {
      const report = await this.enqueueJob(exportTypeId, jobParams);