mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 09:48:58 -04:00
24f82ee808
# Backport This will backport the following commits from `main` to `8.x`: - [Additional prototype pollution protections (#206073)](https://github.com/elastic/kibana/pull/206073) <!--- Backport version: 9.6.4 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Larry Gregory","email":"larry.gregory@elastic.co"},"sourceCommit":{"committedDate":"2025-01-28T22:00:43Z","message":"Additional prototype pollution protections (#206073)\n\n## Summary\n\n1. Extends the server-side prototype pollution protections introduced in\nhttps://github.com/elastic/kibana/pull/190716 to include\n`Array.prototype`.\n2. Applies the same prototype pollution protections to the client-side.\n\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] Sealing prototypes on the client can lead to failures in\nthird-party dependencies. I'm relying on sufficient functional test\ncoverage to detect issues here. As a result, these protections are\ndisabled by default for now, and can be controlled via setting\n`server.prototypeHardening: true/false`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"9ce2dd8df9f2bd6c0ba1d089b69ddfd7fc1f4a02","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","Feature:Hardening","v9.0.0","backport:prev-minor","ci:cloud-deploy","ci:project-deploy-elasticsearch","ci:all-gen-ai-suites"],"title":"Additional prototype pollution protections","number":206073,"url":"https://github.com/elastic/kibana/pull/206073","mergeCommit":{"message":"Additional prototype pollution protections (#206073)\n\n## Summary\n\n1. Extends the server-side prototype pollution protections introduced in\nhttps://github.com/elastic/kibana/pull/190716 to include\n`Array.prototype`.\n2. Applies the same prototype pollution protections to the client-side.\n\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] Sealing prototypes on the client can lead to failures in\nthird-party dependencies. I'm relying on sufficient functional test\ncoverage to detect issues here. As a result, these protections are\ndisabled by default for now, and can be controlled via setting\n`server.prototypeHardening: true/false`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"9ce2dd8df9f2bd6c0ba1d089b69ddfd7fc1f4a02"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/206073","number":206073,"mergeCommit":{"message":"Additional prototype pollution protections (#206073)\n\n## Summary\n\n1. Extends the server-side prototype pollution protections introduced in\nhttps://github.com/elastic/kibana/pull/190716 to include\n`Array.prototype`.\n2. Applies the same prototype pollution protections to the client-side.\n\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] Sealing prototypes on the client can lead to failures in\nthird-party dependencies. I'm relying on sufficient functional test\ncoverage to detect issues here. As a result, these protections are\ndisabled by default for now, and can be controlled via setting\n`server.prototypeHardening: true/false`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"9ce2dd8df9f2bd6c0ba1d089b69ddfd7fc1f4a02"}}]}] BACKPORT--> |
||
|---|---|---|
| .. | ||
| application_links | ||
| core | ||
| core_plugins | ||
| custom_visualizations | ||
| data_plugin | ||
| hardening | ||
| management | ||
| panel_actions | ||
| saved_objects_hidden_type | ||
| saved_objects_management | ||
| shared_ux | ||
| telemetry | ||
| usage_collection | ||