mirror of
https://github.com/elastic/kibana.git
synced 2025-04-23 01:13:23 -04:00
[8.16] [Security Solution] Fix code scanning alert no. 469: Prototype-polluting function (#201712) (#202080)
# Backport This will backport the following commits from `main` to `8.16`: - [[Security Solution] Fix code scanning alert no. 469: Prototype-polluting function (#201712)](https://github.com/elastic/kibana/pull/201712) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Kevin Qualters","email":"56408403+kqualters-elastic@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-11-27T21:56:59Z","message":"[Security Solution] Fix code scanning alert no. 469: Prototype-polluting function (#201712)\n\nFixes\r\n[https://github.com/elastic/kibana/security/code-scanning/469](https://github.com/elastic/kibana/security/code-scanning/469)\r\n\r\nWhile I don't think this is actually an issue, as source is only a set\r\nof ecs fields that ultimately are defined in the code and not controlled\r\nby the user\r\nhttps://github.com/elastic/kibana/blob/main/packages/kbn-alerts-as-data-utils/src/search/security/fields.ts#L47\r\nThis suggested fix doesn't have any negative impact/makes it future\r\nproof if ever used elsewhere.\r\n\r\nTo fix the prototype pollution issue in the `deepMerge` function, we\r\nneed to ensure that the function does not copy the special properties\r\n`__proto__` and `constructor`. Additionally, we should verify that the\r\nproperties being copied are own properties of the `source` object. This\r\ncan be achieved by adding checks within the `deepMerge` function.\r\n\r\n\r\n_Suggested fixes powered by Copilot Autofix. Review carefully before\r\nmerging._\r\n\r\n---------\r\n\r\nCo-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"bcbf85a71f0b30e431a9dc94f3a04773e2f43623","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat Hunting:Investigations","backport:prev-major"],"title":"[Security Solution] Fix code scanning alert no. 469: Prototype-polluting function","number":201712,"url":"https://github.com/elastic/kibana/pull/201712","mergeCommit":{"message":"[Security Solution] Fix code scanning alert no. 469: Prototype-polluting function (#201712)\n\nFixes\r\n[https://github.com/elastic/kibana/security/code-scanning/469](https://github.com/elastic/kibana/security/code-scanning/469)\r\n\r\nWhile I don't think this is actually an issue, as source is only a set\r\nof ecs fields that ultimately are defined in the code and not controlled\r\nby the user\r\nhttps://github.com/elastic/kibana/blob/main/packages/kbn-alerts-as-data-utils/src/search/security/fields.ts#L47\r\nThis suggested fix doesn't have any negative impact/makes it future\r\nproof if ever used elsewhere.\r\n\r\nTo fix the prototype pollution issue in the `deepMerge` function, we\r\nneed to ensure that the function does not copy the special properties\r\n`__proto__` and `constructor`. Additionally, we should verify that the\r\nproperties being copied are own properties of the `source` object. This\r\ncan be achieved by adding checks within the `deepMerge` function.\r\n\r\n\r\n_Suggested fixes powered by Copilot Autofix. Review carefully before\r\nmerging._\r\n\r\n---------\r\n\r\nCo-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"bcbf85a71f0b30e431a9dc94f3a04773e2f43623"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201712","number":201712,"mergeCommit":{"message":"[Security Solution] Fix code scanning alert no. 469: Prototype-polluting function (#201712)\n\nFixes\r\n[https://github.com/elastic/kibana/security/code-scanning/469](https://github.com/elastic/kibana/security/code-scanning/469)\r\n\r\nWhile I don't think this is actually an issue, as source is only a set\r\nof ecs fields that ultimately are defined in the code and not controlled\r\nby the user\r\nhttps://github.com/elastic/kibana/blob/main/packages/kbn-alerts-as-data-utils/src/search/security/fields.ts#L47\r\nThis suggested fix doesn't have any negative impact/makes it future\r\nproof if ever used elsewhere.\r\n\r\nTo fix the prototype pollution issue in the `deepMerge` function, we\r\nneed to ensure that the function does not copy the special properties\r\n`__proto__` and `constructor`. Additionally, we should verify that the\r\nproperties being copied are own properties of the `source` object. This\r\ncan be achieved by adding checks within the `deepMerge` function.\r\n\r\n\r\n_Suggested fixes powered by Copilot Autofix. Review carefully before\r\nmerging._\r\n\r\n---------\r\n\r\nCo-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"bcbf85a71f0b30e431a9dc94f3a04773e2f43623"}}]}] BACKPORT--> Co-authored-by: Kevin Qualters <56408403+kqualters-elastic@users.noreply.github.com>
This commit is contained in:
Kibana Machine
GitHub
parent
72321a14e1
commit
bb1b99a4b2
1 changed files with 8 additions and 1 deletions
|
|
@ -34,7 +34,14 @@ const createBaseTimelineEdges = (): TimelineEdges => ({
|
|||
|
||||
function deepMerge(target: EventSource, source: EventSource) {
|
||||
for (const key in source) {
|
||||
if (source && source[key] instanceof Object && target && target[key] instanceof Object) {
|
||||
if (
|
||||
!Object.prototype.hasOwnProperty.call(source, key) ||
|
||||
key === '__proto__' ||
|
||||
key === 'constructor'
|
||||
)
|
||||
// eslint-disable-next-line no-continue
|
||||
continue;
|
||||
if (source[key] instanceof Object && target[key] instanceof Object) {
|
||||
deepMerge(target[key], source[key]);
|
||||
} else {
|
||||
target[key] = source[key];
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue