mirror of
https://github.com/elastic/kibana.git
synced 2025-04-23 01:13:23 -04:00
24f82ee808
# Backport This will backport the following commits from `main` to `8.x`: - [Additional prototype pollution protections (#206073)](https://github.com/elastic/kibana/pull/206073) <!--- Backport version: 9.6.4 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Larry Gregory","email":"larry.gregory@elastic.co"},"sourceCommit":{"committedDate":"2025-01-28T22:00:43Z","message":"Additional prototype pollution protections (#206073)\n\n## Summary\n\n1. Extends the server-side prototype pollution protections introduced in\nhttps://github.com/elastic/kibana/pull/190716 to include\n`Array.prototype`.\n2. Applies the same prototype pollution protections to the client-side.\n\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] Sealing prototypes on the client can lead to failures in\nthird-party dependencies. I'm relying on sufficient functional test\ncoverage to detect issues here. As a result, these protections are\ndisabled by default for now, and can be controlled via setting\n`server.prototypeHardening: true/false`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"9ce2dd8df9f2bd6c0ba1d089b69ddfd7fc1f4a02","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","Feature:Hardening","v9.0.0","backport:prev-minor","ci:cloud-deploy","ci:project-deploy-elasticsearch","ci:all-gen-ai-suites"],"title":"Additional prototype pollution protections","number":206073,"url":"https://github.com/elastic/kibana/pull/206073","mergeCommit":{"message":"Additional prototype pollution protections (#206073)\n\n## Summary\n\n1. Extends the server-side prototype pollution protections introduced in\nhttps://github.com/elastic/kibana/pull/190716 to include\n`Array.prototype`.\n2. Applies the same prototype pollution protections to the client-side.\n\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] Sealing prototypes on the client can lead to failures in\nthird-party dependencies. I'm relying on sufficient functional test\ncoverage to detect issues here. As a result, these protections are\ndisabled by default for now, and can be controlled via setting\n`server.prototypeHardening: true/false`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"9ce2dd8df9f2bd6c0ba1d089b69ddfd7fc1f4a02"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/206073","number":206073,"mergeCommit":{"message":"Additional prototype pollution protections (#206073)\n\n## Summary\n\n1. Extends the server-side prototype pollution protections introduced in\nhttps://github.com/elastic/kibana/pull/190716 to include\n`Array.prototype`.\n2. Applies the same prototype pollution protections to the client-side.\n\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] Sealing prototypes on the client can lead to failures in\nthird-party dependencies. I'm relying on sufficient functional test\ncoverage to detect issues here. As a result, these protections are\ndisabled by default for now, and can be controlled via setting\n`server.prototypeHardening: true/false`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"9ce2dd8df9f2bd6c0ba1d089b69ddfd7fc1f4a02"}}]}] BACKPORT-->
90 lines
3.4 KiB
JavaScript
90 lines
3.4 KiB
JavaScript
/*
|
|
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
* or more contributor license agreements. Licensed under the "Elastic License
|
|
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
|
* Public License v 1"; you may not use this file except in compliance with, at
|
|
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
|
* License v3.0 only", or the "Server Side Public License, v 1".
|
|
*/
|
|
|
|
import path from 'path';
|
|
import { format as formatUrl } from 'url';
|
|
import { esTestConfig, kbnTestConfig, kibanaServerTestUser } from '@kbn/test';
|
|
|
|
export default function () {
|
|
const servers = {
|
|
kibana: kbnTestConfig.getUrlParts(),
|
|
elasticsearch: esTestConfig.getUrlParts(),
|
|
};
|
|
|
|
return {
|
|
servers,
|
|
|
|
esTestCluster: {
|
|
serverArgs: ['xpack.security.enabled=false'],
|
|
},
|
|
|
|
kbnTestServer: {
|
|
buildArgs: [],
|
|
sourceArgs: ['--no-base-path', '--env.name=development'],
|
|
serverArgs: [
|
|
`--server.port=${kbnTestConfig.getPort()}`,
|
|
`--server.prototypeHardening=true`,
|
|
'--status.allowAnonymous=true',
|
|
// We shouldn't embed credentials into the URL since Kibana requests to Elasticsearch should
|
|
// either include `kibanaServerTestUser` credentials, or credentials provided by the test
|
|
// user, or none at all in case anonymous access is used.
|
|
`--elasticsearch.hosts=${formatUrl(
|
|
Object.fromEntries(
|
|
Object.entries(servers.elasticsearch).filter(([key]) => key.toLowerCase() !== 'auth')
|
|
)
|
|
)}`,
|
|
`--elasticsearch.username=${kibanaServerTestUser.username}`,
|
|
`--elasticsearch.password=${kibanaServerTestUser.password}`,
|
|
// Needed for async search functional tests to introduce a delay
|
|
`--data.search.aggs.shardDelay.enabled=true`,
|
|
`--data.query.timefilter.minRefreshInterval=1000`,
|
|
`--security.showInsecureClusterWarning=false`,
|
|
'--telemetry.banner=false',
|
|
'--telemetry.optIn=false',
|
|
// These are *very* important to have them pointing to staging
|
|
'--telemetry.sendUsageTo=staging',
|
|
`--server.maxPayload=1679958`,
|
|
// newsfeed mock service
|
|
`--plugin-path=${path.join(__dirname, 'plugins', 'newsfeed')}`,
|
|
// otel mock service
|
|
`--plugin-path=${path.join(__dirname, 'plugins', 'otel_metrics')}`,
|
|
`--newsfeed.service.urlRoot=${servers.kibana.protocol}://${servers.kibana.hostname}:${servers.kibana.port}`,
|
|
`--newsfeed.service.pathTemplate=/api/_newsfeed-FTS-external-service-simulators/kibana/v{VERSION}.json`,
|
|
`--logging.appenders.deprecation=${JSON.stringify({
|
|
type: 'console',
|
|
layout: {
|
|
type: 'json',
|
|
},
|
|
})}`,
|
|
`--logging.loggers=${JSON.stringify([
|
|
{
|
|
name: 'elasticsearch.deprecation',
|
|
level: 'all',
|
|
appenders: ['deprecation'],
|
|
},
|
|
])}`,
|
|
// Add meta info to the logs so FTR logs are more actionable
|
|
`--logging.appenders.default=${JSON.stringify({
|
|
type: 'console',
|
|
layout: {
|
|
type: 'pattern',
|
|
pattern: '[%date][%level][%logger] %message %meta',
|
|
},
|
|
})}`,
|
|
`--logging.appenders.console=${JSON.stringify({
|
|
type: 'console',
|
|
layout: {
|
|
type: 'pattern',
|
|
pattern: '[%date][%level][%logger] %message %meta',
|
|
},
|
|
})}`,
|
|
],
|
|
},
|
|
};
|
|
}
|