[8.x] [ML] Various fixes for possible prototype pollution vulnerabili…

…ties (#194529) (#194660)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[ML] Various fixes for possible prototype pollution vulnerabilities
(#194529)](#194529)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"James
Gowdy","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-02T07:47:19Z","message":"[ML]
Various fixes for possible prototype pollution vulnerabilities
(#194529)\n\nFixes potential prototype pollution vulnerability in
`setNestedProperty`\r\nfunction.\r\nFixes incomplete string escaping
issue in ML's saved object
service.","sha":"d1f24b050b53cc7b13fbc47b6de3c5f69606e88e","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix",":ml","v9.0.0","v8.16.0","backport:version"],"title":"[ML]
Various fixes for possible prototype pollution
vulnerabilities","number":194529,"url":"https://github.com/elastic/kibana/pull/194529","mergeCommit":{"message":"[ML]
Various fixes for possible prototype pollution vulnerabilities
(#194529)\n\nFixes potential prototype pollution vulnerability in
`setNestedProperty`\r\nfunction.\r\nFixes incomplete string escaping
issue in ML's saved object
service.","sha":"d1f24b050b53cc7b13fbc47b6de3c5f69606e88e"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194529","number":194529,"mergeCommit":{"message":"[ML]
Various fixes for possible prototype pollution vulnerabilities
(#194529)\n\nFixes potential prototype pollution vulnerability in
`setNestedProperty`\r\nfunction.\r\nFixes incomplete string escaping
issue in ML's saved object
service.","sha":"d1f24b050b53cc7b13fbc47b6de3c5f69606e88e"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: James Gowdy <[email protected]>

x-pack/packages/ml/nested_property/src/set_nested_property.test.ts

@@ -68,5 +68,15 @@ describe('object_utils', () => {
 
     const test11 = setNestedProperty(getFalseyObject(), 'the.other_nested.value', 'update');
     expect(test11.the.other_nested.value).toBe('update');
+
+    expect(() => {
+      setNestedProperty(getTestObj(), 'the.__proto__', 'update');
+    }).toThrow('Invalid accessor');
+    expect(() => {
+      setNestedProperty(getTestObj(), 'the.prototype', 'update');
+    }).toThrow('Invalid accessor');
+    expect(() => {
+      setNestedProperty(getTestObj(), 'the.constructor', 'update');
+    }).toThrow('Invalid accessor');
   });
 });

x-pack/packages/ml/nested_property/src/set_nested_property.ts

@@ -5,9 +5,15 @@
  * 2.0.
  */
 
+const INVALID_ACCESSORS = ['__proto__', 'prototype', 'constructor'];
+
 export const setNestedProperty = (obj: Record<string, any>, accessor: string, value: any) => {
   let ref = obj;
   const accessors = accessor.split('.');
+  if (accessors.some((a) => INVALID_ACCESSORS.includes(a))) {
+    throw new Error('Invalid accessor');
+  }
+
   const len = accessors.length;
   for (let i = 0; i < len - 1; i++) {
     const attribute = accessors[i];

x-pack/plugins/ml/server/saved_objects/service.ts

@@ -328,7 +328,7 @@ export function mlSavedObjectServiceFactory(
       if (id.match('\\*') === null) {
         return jobIds.includes(id);
       }
-      const regex = new RegExp(id.replace('*', '.*'));
+      const regex = new RegExp(id.replaceAll('*', '.*'));
       return jobIds.some((jId) => typeof jId === 'string' && regex.exec(jId));
     });
   }
@@ -640,7 +640,7 @@ export function mlSavedObjectServiceFactory(
       if (id.match('\\*') === null) {
         return modelIds.includes(id);
       }
-      const regex = new RegExp(id.replace('*', '.*'));
+      const regex = new RegExp(id.replaceAll('*', '.*'));
       return modelIds.some((jId) => typeof jId === 'string' && regex.exec(jId));
     });
   }