[Security Solution][Platform] Only allow wildcard exceptions on string fields (#137129)

* Only allow wildcard exceptions on string fields * Fix unit tests and move to the right place
2025-04-24 01:38:56 -04:00 · 2022-07-26 12:41:19 -07:00 · 2022-07-26 12:41:19 -07:00 · fe97c24de2
commit fe97c24de2
parent 20be0da426
3 changed files with 59 additions and 8 deletions
--- a/packages/kbn-securitysolution-list-utils/src/helpers/index.ts
+++ b/packages/kbn-securitysolution-list-utils/src/helpers/index.ts
@ -44,6 +44,9 @@ import {
  isOneOfOperator,
  isOperator,
  DETECTION_ENGINE_EXCEPTION_OPERATORS,
+  isNotOneOfOperator,
+  isInListOperator,
+  isNotInListOperator,
 } from '../autocomplete_operators';

 import {
@ -668,6 +671,10 @@ export const getEntryOnOperatorChange = (
  }
 };

+const fieldSupportsMatches = (field: DataViewFieldBase) => {
+  return field.type === 'string';
+};
+
 /**
 * Determines which operators to make available
 *
@ -691,9 +698,31 @@ export const getOperatorOptions = (
  } else if (isBoolean) {
    return [isOperator, isNotOperator, existsOperator, doesNotExistOperator];
  } else if (!includeValueListOperators) {
-    return EXCEPTION_OPERATORS_SANS_LISTS;
+    return fieldSupportsMatches(item.field)
+      ? EXCEPTION_OPERATORS_SANS_LISTS
+      : [
+          isOperator,
+          isNotOperator,
+          isOneOfOperator,
+          isNotOneOfOperator,
+          existsOperator,
+          doesNotExistOperator,
+        ];
  } else {
-    return listType === 'detection' ? DETECTION_ENGINE_EXCEPTION_OPERATORS : ALL_OPERATORS;
+    return listType === 'detection'
+      ? fieldSupportsMatches(item.field)
+        ? DETECTION_ENGINE_EXCEPTION_OPERATORS
+        : [
+            isOperator,
+            isNotOperator,
+            isOneOfOperator,
+            isNotOneOfOperator,
+            existsOperator,
+            doesNotExistOperator,
+            isInListOperator,
+            isNotInListOperator,
+          ]
+      : ALL_OPERATORS;
  }
 };

--- a/x-pack/plugins/lists/public/exceptions/components/builder/entry_renderer.test.tsx
+++ b/x-pack/plugins/lists/public/exceptions/components/builder/entry_renderer.test.tsx
@ -391,7 +391,7 @@ describe('BuilderEntryItem', () => {
        entry={{
          correspondingKeywordField: undefined,
          entryIndex: 0,
-          field: getField('ip'),
+          field: getField('@tags'),
          id: '123',
          nested: undefined,
          operator: matchesOperator,
@ -412,7 +412,7 @@ describe('BuilderEntryItem', () => {
      />
    );

-    expect(wrapper.find('[data-test-subj="exceptionBuilderEntryField"]').text()).toEqual('ip');
+    expect(wrapper.find('[data-test-subj="exceptionBuilderEntryField"]').text()).toEqual('@tags');
    expect(wrapper.find('[data-test-subj="exceptionBuilderEntryOperator"]').text()).toEqual(
      'matches'
    );
@ -428,7 +428,7 @@ describe('BuilderEntryItem', () => {
        entry={{
          correspondingKeywordField: undefined,
          entryIndex: 0,
-          field: getField('ip'),
+          field: getField('@tags'),
          id: '123',
          nested: undefined,
          operator: doesNotMatchOperator,
@ -449,7 +449,7 @@ describe('BuilderEntryItem', () => {
      />
    );

-    expect(wrapper.find('[data-test-subj="exceptionBuilderEntryField"]').text()).toEqual('ip');
+    expect(wrapper.find('[data-test-subj="exceptionBuilderEntryField"]').text()).toEqual('@tags');
    expect(wrapper.find('[data-test-subj="exceptionBuilderEntryOperator"]').text()).toEqual(
      'does not match'
    );
--- a/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts
+++ b/x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts
@ -617,7 +617,10 @@ describe('Exception builder helpers', () => {
    });

    test('it does not return list operators if specified not to', () => {
-      const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
+      const payloadItem: FormattedBuilderEntry = {
+        ...getMockBuilderEntry(),
+        field: getField('@tags'),
+      };
      const output = getOperatorOptions(payloadItem, 'detection', false, false);
      expect(output).toEqual(EXCEPTION_OPERATORS_SANS_LISTS);
    });
@ -629,10 +632,29 @@ describe('Exception builder helpers', () => {
    });

    test('it returns all operators supported by detection engine if list type is "detection"', () => {
-      const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
+      const payloadItem: FormattedBuilderEntry = {
+        ...getMockBuilderEntry(),
+        field: getField('@tags'),
+      };
      const output = getOperatorOptions(payloadItem, 'detection', false, true);
      expect(output).toEqual(DETECTION_ENGINE_EXCEPTION_OPERATORS);
    });
+
+    test('it excludes wildcard operators if list type is "detection" and field is not a string', () => {
+      const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
+      const output = getOperatorOptions(payloadItem, 'detection', false, true);
+      const expected: OperatorOption[] = [
+        isOperator,
+        isNotOperator,
+        isOneOfOperator,
+        isNotOneOfOperator,
+        existsOperator,
+        doesNotExistOperator,
+        isInListOperator,
+        isNotInListOperator,
+      ];
+      expect(output).toEqual(expected);
+    });
  });

  describe('#getEntryOnFieldChange', () => {