[Security Solution][Lists] Escape quotes in list ids and quote the id in KQL query #93176
Conversation
marshallmain
added
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
marshallmain
added
the
release_note:skip
I wonder if there's an opportunity here to allow for parameters, like how SQL uses |
|
@rw-access yeah I was hoping to find something like that in Kibana already but didn't see it anywhere, doing my own escaping felt dangerous. The KQL parsing in general has a couple different areas where it could be improved, as it also generates sub-optimal queries when the KQL has many terms - each term creates a new level of nesting in the generated DSL, so you can hit nesting limits quickly. |
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
|
|
||
| export const escapeQuotes = (str: string): string => { | ||
| return str.replace(/[\\"]/g, '\\$&'); | ||
| }; |
There was a problem hiding this comment.
Is this the same as this one?
x-pack/plugins/data_enhanced/public/autocomplete/providers/kql_query_suggestion/lib/escape_kuery.ts
That looks like it only works client side and not server and isn't part of a common section for usage in both areas which is a bummer.
Wish it was in one common spot. I'm fine with this duplicated here though. I would just maybe? copy maybe over their tests and put a note that there is a duplication between the two in case someone sees them deviate later/change.
The other tests above and the e2e is more than good enough though, wouldn't split hairs on that.
There was a problem hiding this comment.
Yep it's the same function, definitely would like to have it in a common place along with the other escaping utilities (and maybe a more robust parameterization scheme like Ross suggested above). For now though it seems a simple enough function to just do the ol' copy paste.
| .expect(200); | ||
|
|
||
| const bodyToCompare = removeListServerGeneratedProperties(body); | ||
| expect(bodyToCompare).to.eql(getListResponseMockWithoutAutoGeneratedValues()); |
There was a problem hiding this comment.
Nice! Thanks for the e2e test here.
… in KQL query (elastic#93176) * Escape quotes in list ids and quote the id in KQL query * Remove decodeURIComponent because too many KQL queries don't handle quotes * Add quotes to user supplied IDs for other KQL queries Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
… in KQL query (elastic#93176) * Escape quotes in list ids and quote the id in KQL query * Remove decodeURIComponent because too many KQL queries don't handle quotes * Add quotes to user supplied IDs for other KQL queries Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
… in KQL query (#93176) (#93502) * Escape quotes in list ids and quote the id in KQL query * Remove decodeURIComponent because too many KQL queries don't handle quotes * Add quotes to user supplied IDs for other KQL queries Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
… in KQL query (#93176) (#93503) * Escape quotes in list ids and quote the id in KQL query * Remove decodeURIComponent because too many KQL queries don't handle quotes * Add quotes to user supplied IDs for other KQL queries Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* master: (48 commits) Fix wrong import in data plugin causing 100kB bundle increase (elastic#93448) [Fleet] Correctly track install status of an integration (elastic#93464) Reviews data frame analytics UI text (elastic#93033) Display multiple copyable fields for process.args in resolver node detail panel (elastic#93280) [Security Solution][Detections] ML Popover overflow fix (elastic#93525) chore(NA): do not use execa on bazel workspace status update script (elastic#93532) Bump dependencies (elastic#93511) [dev/build_ts_refs] support disabling the ts-refs build completely (elastic#93529) [Security Solution] fix data provider cypress test (elastic#93465) Fix service map for All environment single service (elastic#93517) [Fleet] Fix package version comparaison in the UI (elastic#93498) [alerting] adds doc on JSON-expanded action variables and task manager max_workers (elastic#92720) [dev/build_ts_refs] ignore type checking failures when building ts refs (elastic#93473) [core-new-docs] Adds a dev-doc for core documentation (elastic#92976) remove opacity from maps legacy style (elastic#93456) [Security Solution][Lists] Escape quotes in list ids and quote the id in KQL query (elastic#93176) Revert "Make tests deterministic by providing unique timestamps (elastic#93350)" [Discover] Fix link from dashboard saved search to Discover (elastic#92937) update public api docs App Search - Polishing Analytics Views (elastic#92939) ...
Closes #86273
The value list ID was being inserted directly into the KQL filter without being escaped or surrounded by quotes, so special KQL characters in the ID would break the query generation. This PR encloses the IDs in quotes and adds simple escaping logic to the ID (replacing
"with\") so IDs with quotes or other special characters won't break the KQL parsing.We should be on the lookout for other places where we generate KQL queries and insert values that could be user supplied.
Related: when importing value lists, the filename comes in URI encoded and we store it in this URI encoded form. Do we want to decode the URI here so that the filename will be stored in its original form (and also displayed in the original form on the UI)? I found this because quotes in the filename get URI encoded and never decoded if you import using the UI, whereas with the API you can create a list that has quotes in the list_id.
Checklist
Delete any items that are not applicable to this PR.
For maintainers