Ensure the dashboard zip is sane #6921

tsg · 2018-04-23T14:05:14Z

This adds a check that all files from the dashboard zip file
are pointing to the right target, and don't override other configs.

This adds a check that all files from the dashboard zip file are pointing to the right target, and don't override other configs.

urso · 2018-04-23T15:30:50Z

libbeat/dashboards/importer.go

+			return err
+		}
+		if strings.HasPrefix(filepath.ToSlash(relPath), "../") {
+			return fmt.Errorf("Zip file contains files outside of directory target: %s", relPath)


s/directory target/target directory/ ?

ruflin

LGTM. A test with an invalid zip would have been nice.

hansmi · 2018-04-24T13:06:39Z

If I may I'd recommend using cyphar/filepath-securejoin rather than coming up with your own path verification.

This uses the same approach and code as the Kibana dashboards loader. Fixes elastic#6921.

* Ensure the dashboard zip is sane This adds a check that all files from the dashboard zip file are pointing to the right target, and don't override other configs. * changelog * addressed comment (cherry picked from commit a34c9eb)

This uses the same approach and code as the Kibana dashboards loader. Fixes #6921.

* Ensure the dashboard zip is sane This adds a check that all files from the dashboard zip file are pointing to the right target, and don't override other configs. * changelog * addressed comment (cherry picked from commit a34c9eb)

This uses the same approach and code as the Kibana dashboards loader. Fixes elastic#6921. (cherry picked from commit a7c9062)

This uses the same approach and code as the Kibana dashboards loader. Fixes #6921. (cherry picked from commit a7c9062)

tsg · 2018-05-03T10:32:58Z

Thank you for the suggestion @hansmi. We had some concerns about the Windows portability of the filepath-securejoin lib, because it relies on the PathSeparator. So for now we merged the PR like this to catch the release train, but we'll follow up on this. cc @urso

* Ensure the dashboard zip is sane (#6921) * Ensure the dashboard zip is sane This adds a check that all files from the dashboard zip file are pointing to the right target, and don't override other configs. * changelog * addressed comment (cherry picked from commit a34c9eb) * cleanup changelog

* Ensure the dashboard zip is sane This adds a check that all files from the dashboard zip file are pointing to the right target, and don't override other configs. * changelog * addressed comment (cherry picked from commit 028a3fd)

…#6996) This uses the same approach and code as the Kibana dashboards loader. Fixes elastic#6921. (cherry picked from commit b514dd1)

…astic#6995) * Ensure the dashboard zip is sane (elastic#6921) * Ensure the dashboard zip is sane This adds a check that all files from the dashboard zip file are pointing to the right target, and don't override other configs. * changelog * addressed comment (cherry picked from commit 028a3fd) * cleanup changelog

Ensure the dashboard zip is sane

b63a451

This adds a check that all files from the dashboard zip file are pointing to the right target, and don't override other configs.

tsg added bug review labels Apr 23, 2018

changelog

a2e16ea

tsg requested a review from urso April 23, 2018 14:10

urso reviewed Apr 23, 2018

View reviewed changes

urso approved these changes Apr 23, 2018

View reviewed changes

addressed comment

a48929f

ruflin approved these changes Apr 23, 2018

View reviewed changes

tsg added the needs_backport PR is waiting to be backported to other branches. label May 2, 2018

tsg mentioned this pull request May 2, 2018

Inherit Kibana credentials from the ES output #6993

Merged

tsg added a commit to tsg/beats that referenced this pull request May 2, 2018

Inherit Kibana credentials from the ES output

3389f12

This uses the same approach and code as the Kibana dashboards loader. Fixes elastic#6921.

urso merged commit a34c9eb into elastic:master May 2, 2018

tsg mentioned this pull request May 2, 2018

Cherry-pick #6921 to 6.3: Ensure the dashboard zip is sane #6994

Merged

tsg added v6.3.0 and removed needs_backport PR is waiting to be backported to other branches. labels May 2, 2018

tsg mentioned this pull request May 2, 2018

Cherry-pick #6921 to 6.2: Ensure the dashboard zip is sane #6995

Merged

tsg added the v6.2.5 label May 2, 2018

urso pushed a commit that referenced this pull request May 2, 2018

Inherit Kibana credentials from the ES output (#6993)

a7c9062

This uses the same approach and code as the Kibana dashboards loader. Fixes #6921.

tsg added a commit to tsg/beats that referenced this pull request May 2, 2018

Inherit Kibana credentials from the ES output (elastic#6993)

9f5cb1c

This uses the same approach and code as the Kibana dashboards loader. Fixes elastic#6921. (cherry picked from commit a7c9062)

tsg mentioned this pull request May 2, 2018

Cherry-pick #6993 to 6.3: Inherit Kibana credentials from the ES output #6996

Merged

andrewkroh pushed a commit that referenced this pull request May 2, 2018

Inherit Kibana credentials from the ES output (#6993) (#6996)

7edf2bc

This uses the same approach and code as the Kibana dashboards loader. Fixes #6921. (cherry picked from commit a7c9062)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ensure the dashboard zip is sane #6921

Ensure the dashboard zip is sane #6921

tsg commented Apr 23, 2018

urso Apr 23, 2018

ruflin left a comment

hansmi commented Apr 24, 2018

tsg commented May 3, 2018

Ensure the dashboard zip is sane #6921

Ensure the dashboard zip is sane #6921

Conversation

tsg commented Apr 23, 2018

urso Apr 23, 2018

Choose a reason for hiding this comment

ruflin left a comment

Choose a reason for hiding this comment

hansmi commented Apr 24, 2018

tsg commented May 3, 2018