mirror of
https://github.com/elastic/kibana.git
synced 2025-06-28 03:01:21 -04:00
74d88580a5
## Summary This PR has breadth, but not depth. This adds 3 new `eslint` rules. The first two protect against the use of code generated from strings (`eval` and friends), which will not work client-side due to our CSP, and is not something we wish to support server-side. The last rule aims to prevent a subtle class of bugs, and to defend against a subset of prototype pollution exploits: - `no-new-func` to be compliant with our CSP, and to prevent code execution from strings server-side: https://eslint.org/docs/latest/rules/no-new-func - `no-implied-eval` to be compliant with our CSP, and to prevent code execution from strings server-side: https://eslint.org/docs/latest/rules/no-implied-eval. Note that this function implies that it prevents no-new-func, but I don't see [test cases](https://github.com/eslint/eslint/blob/main/tests/lib/rules/no-implied-eval.js) covering this behavior, so I think we should play it safe and enable both rules. - `no-prototype-builtins` to prevent accessing shadowed properties: https://eslint.org/docs/latest/rules/no-prototype-builtins In order to be compliant with `no-prototype-builtins`, I've migrated all usages and variants of `Object.hasOwnProperty` to use the newer [`Object.hasOwn`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/hasOwn).
81 lines
2.3 KiB
JavaScript
81 lines
2.3 KiB
JavaScript
/*
|
|
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
* or more contributor license agreements. Licensed under the Elastic License
|
|
* 2.0; you may not use this file except in compliance with the Elastic License
|
|
* 2.0.
|
|
*/
|
|
|
|
import fetch from 'node-fetch';
|
|
import { resolve } from 'path';
|
|
import pkg from '../../package.json';
|
|
import { X_ELASTIC_INTERNAL_ORIGIN_REQUEST } from '@kbn/core-http-common/src/constants';
|
|
|
|
function getRequestParams(argv) {
|
|
// use `--host=https://somedomain.com:5601` or else http://localhost:5601 is defaulted
|
|
const host = argv.host || 'http://localhost:5601';
|
|
// use `--auth=myuser:mypassword` or else elastic:changeme is defaulted
|
|
// passing `--auth` with no value effectively sends no auth
|
|
const auth = argv.auth || 'elastic:changeme';
|
|
const authStr = Buffer.from(auth).toString('base64');
|
|
// auto-add a leading slash to basePath
|
|
const basePath = argv.basePath ? '/' + argv.basePath : '';
|
|
|
|
return {
|
|
host,
|
|
auth: `Basic ${authStr}`,
|
|
basePath,
|
|
};
|
|
}
|
|
|
|
function getRequestHeaders(auth) {
|
|
return {
|
|
'kbn-version': pkg.version,
|
|
'Content-Type': 'application/json',
|
|
Authorization: auth,
|
|
[X_ELASTIC_INTERNAL_ORIGIN_REQUEST]: 'Kibana',
|
|
};
|
|
}
|
|
|
|
function setIgnoreSSLErrors() {
|
|
// use `-k` to let fetch ignore SSL errors
|
|
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
|
|
}
|
|
|
|
function logHeaders(res) {
|
|
// use `--headers` to print the response headers
|
|
const headers = res.headers.raw();
|
|
for (const key in headers) {
|
|
if (Object.hasOwn(headers, key)) {
|
|
console.log(`${key}: ${headers[key]}`);
|
|
}
|
|
}
|
|
console.log('\n');
|
|
}
|
|
|
|
function prettyPrintJson(json) {
|
|
console.log(JSON.stringify(json, null, ' '));
|
|
}
|
|
|
|
export async function requestFromApi(argv, requestType) {
|
|
const pattern = resolve(__dirname, `./apis/${requestType}/index.js`);
|
|
const { method, path, body } = require(pattern); // eslint-disable-line import/no-dynamic-require
|
|
const { host, auth, basePath } = getRequestParams(argv);
|
|
if (argv.k || !argv.ssl) {
|
|
setIgnoreSSLErrors();
|
|
}
|
|
|
|
// make the request
|
|
const params = { method, headers: getRequestHeaders(auth) };
|
|
if (body) {
|
|
params.body = JSON.stringify(body);
|
|
}
|
|
const uri = host + basePath + path;
|
|
const res = await fetch(uri, params);
|
|
|
|
if (argv.headers) {
|
|
logHeaders(res);
|
|
}
|
|
|
|
const json = await res.json();
|
|
prettyPrintJson(json);
|
|
}
|