github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-22 08:49:27 -04:00
Code Issues Projects Releases Packages Wiki Activity
kibana/test/plugin_functional
History
Exact
Larry Gregory 24f82ee808
[8.x] Additional prototype pollution protections (#206073) (#208742) 
# Backport

This will backport the following commits from `main` to `8.x`:
- [Additional prototype pollution protections
(#206073)](https://github.com/elastic/kibana/pull/206073)

<!--- Backport version: 9.6.4 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Larry
Gregory","email":"larry.gregory@elastic.co"},"sourceCommit":{"committedDate":"2025-01-28T22:00:43Z","message":"Additional
prototype pollution protections (#206073)\n\n## Summary\n\n1. Extends
the server-side prototype pollution protections introduced
in\nhttps://github.com/elastic/kibana/pull/190716 to
include\n`Array.prototype`.\n2. Applies the same prototype pollution
protections to the client-side.\n\n\n### Identify risks\n\nDoes this PR
introduce any risks? For example, consider risks like hard\nto test
bugs, performance regression, potential of data loss.\n\nDescribe the
risk, its severity, and mitigation for each identified\nrisk. Invite
stakeholders and evaluate how to proceed before merging.\n\n- [ ]
Sealing prototypes on the client can lead to failures in\nthird-party
dependencies. I'm relying on sufficient functional test\ncoverage to
detect issues here. As a result, these protections are\ndisabled by
default for now, and can be controlled via
setting\n`server.prototypeHardening:
true/false`\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"9ce2dd8df9f2bd6c0ba1d089b69ddfd7fc1f4a02","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","Feature:Hardening","v9.0.0","backport:prev-minor","ci:cloud-deploy","ci:project-deploy-elasticsearch","ci:all-gen-ai-suites"],"title":"Additional
prototype pollution
protections","number":206073,"url":"https://github.com/elastic/kibana/pull/206073","mergeCommit":{"message":"Additional
prototype pollution protections (#206073)\n\n## Summary\n\n1. Extends
the server-side prototype pollution protections introduced
in\nhttps://github.com/elastic/kibana/pull/190716 to
include\n`Array.prototype`.\n2. Applies the same prototype pollution
protections to the client-side.\n\n\n### Identify risks\n\nDoes this PR
introduce any risks? For example, consider risks like hard\nto test
bugs, performance regression, potential of data loss.\n\nDescribe the
risk, its severity, and mitigation for each identified\nrisk. Invite
stakeholders and evaluate how to proceed before merging.\n\n- [ ]
Sealing prototypes on the client can lead to failures in\nthird-party
dependencies. I'm relying on sufficient functional test\ncoverage to
detect issues here. As a result, these protections are\ndisabled by
default for now, and can be controlled via
setting\n`server.prototypeHardening:
true/false`\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"9ce2dd8df9f2bd6c0ba1d089b69ddfd7fc1f4a02"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/206073","number":206073,"mergeCommit":{"message":"Additional
prototype pollution protections (#206073)\n\n## Summary\n\n1. Extends
the server-side prototype pollution protections introduced
in\nhttps://github.com/elastic/kibana/pull/190716 to
include\n`Array.prototype`.\n2. Applies the same prototype pollution
protections to the client-side.\n\n\n### Identify risks\n\nDoes this PR
introduce any risks? For example, consider risks like hard\nto test
bugs, performance regression, potential of data loss.\n\nDescribe the
risk, its severity, and mitigation for each identified\nrisk. Invite
stakeholders and evaluate how to proceed before merging.\n\n- [ ]
Sealing prototypes on the client can lead to failures in\nthird-party
dependencies. I'm relying on sufficient functional test\ncoverage to
detect issues here. As a result, these protections are\ndisabled by
default for now, and can be controlled via
setting\n`server.prototypeHardening:
true/false`\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"9ce2dd8df9f2bd6c0ba1d089b69ddfd7fc1f4a02"}}]}]
BACKPORT-->
2025-01-29 15:08:04 -05:00
..
plugins [8.x] Additional prototype pollution protections (#206073) (#208742) 2025-01-29 15:08:04 -05:00
services Adds AGPL 3.0 license (#192025) 2024-09-06 19:02:41 -06:00
snapshots/baseline/hardening [8.x] Additional prototype pollution protections (#206073) (#208742) 2025-01-29 15:08:04 -05:00
test_suites [8.x] Additional prototype pollution protections (#206073) (#208742) 2025-01-29 15:08:04 -05:00
config.ts [8.x] Clean up &#x60;cloud_chat&#x60; (#194571) (#194818) 2024-10-03 09:12:16 -05:00
README.md [KP] Expose new es client (#73651) 2020-07-30 19:12:37 +02:00

README.md

Plugin Functional Tests

This folder contains plugin functional tests, i.e. functional tests that should be executed against a Kibana instance with specific test plugins available.

To add a plugin to the instance, just place the plugin folder in the plugins directory.

Add new test suites into the test_suites folder and reference them from the config.js file. These test suites work the same as regular functional test except that they are executed against a Kibana with all plugins (from the plugins directory) installed.

Run the test

To run these tests during development you can use the following commands:

# Start the test server (can continue running)
node scripts/functional_tests_server.js --config test/plugin_functional/config.ts
# Start a test run
node scripts/functional_test_runner.js --config test/plugin_functional/config.ts

Run Kibana with a test plugin

In case you want to start Kibana with one of the test plugins (e.g. for developing the test plugin), you can just run:

yarn start --plugin-path=test/plugin_functional/plugins/<plugin_folder>

If you wish to start Kibana with multiple test plugins, you can run:

yarn start --plugin-path=test/plugin_functional/plugins/<plugin_folder1> --plugin-path=test/plugin_functional/plugins/<plugin_folder2> ...

If you wish to load up specific es archived data for your test, you can do so via the es_archiver script detailed in the Scripts README.md

Another option, which will automatically use any specific settings the test environment may rely on, is to boot up the functional test server pointing to the plugin configuration file.

node scripts/functional_tests_server --config test/plugin_functional/config.ts

Note: you may still need to use the es_archiver script to boot up any required data.