Merge branch '7.17' into backport/7.17/pr-186630

docs/developer/best-practices/stability.asciidoc

@@ -29,7 +29,7 @@ access.
 *** We need to make sure security is set up in a specific way for
 non-standard {kib} indices. (create their own custom roles)
 * {kib} running behind a reverse proxy or load balancer, without sticky
-sessions. (we have had many discuss/SDH tickets around this)
+sessions.
 * If a proxy/loadbalancer is running between ES and {kib}
 
 [discrete]
@@ -78,4 +78,4 @@ Does the feature work efficiently on the list of supported browsers?
 * Does the feature affect old indices or saved objects?
 * Has the feature been tested with {kib} aliases?
 * Read/Write privileges of the indices before and after the
-upgrade?
+upgrade?

package.json

@@ -372,7 +372,7 @@
     "regenerator-runtime": "^0.13.3",
     "remark-parse-no-trim": "^8.0.4",
     "remark-stringify": "^8.0.3",
-    "require-in-the-middle": "^7.2.0",
+    "require-in-the-middle": "^7.3.0",
     "reselect": "^4.0.0",
     "resize-observer-polyfill": "^1.5.1",
     "rison-node": "1.0.2",
@@ -580,7 +580,7 @@
     "@types/nock": "^10.0.3",
     "@types/node": "20.10.6",
     "@types/node-fetch": "2.6.4",
-    "@types/node-forge": "^1.3.10",
+    "@types/node-forge": "^1.3.11",
     "@types/nodemailer": "^6.4.0",
     "@types/normalize-path": "^3.0.0",
     "@types/object-hash": "^1.3.0",
@@ -612,7 +612,7 @@
     "@types/redux-actions": "^2.6.1",
     "@types/redux-logger": "^3.0.8",
     "@types/seedrandom": ">=2.0.0 <4.0.0",
-    "@types/selenium-webdriver": "^4.1.22",
+    "@types/selenium-webdriver": "^4.1.23",
     "@types/semver": "^7",
     "@types/set-value": "^2.0.0",
     "@types/sinon": "^7.0.13",
@@ -666,7 +666,7 @@
     "callsites": "^3.1.0",
     "chai": "3.5.0",
     "chance": "1.0.18",
-    "chromedriver": "^125.0.2",
+    "chromedriver": "^126.0.2",
     "clean-webpack-plugin": "^3.0.0",
     "cmd-shim": "^2.1.0",
     "compression-webpack-plugin": "^4.0.0",
@@ -791,10 +791,10 @@
     "regenerate": "^1.4.0",
     "resolve": "^1.7.1",
     "rxjs-marbles": "^5.0.6",
-    "sass-embedded": "^1.71.1",
+    "sass-embedded": "^1.77.5",
     "sass-loader": "^10.5.1",
     "sass-resources-loader": "^2.0.1",
-    "selenium-webdriver": "^4.21.0",
+    "selenium-webdriver": "^4.22.0",
     "simple-git": "^3.16.0",
     "sinon": "^7.4.2",
     "sort-package-json": "^1.53.1",
@@ -812,7 +812,7 @@
     "tempy": "^0.3.0",
     "terser": "^5.19.2",
     "terser-webpack-plugin": "^4.2.3",
-    "tough-cookie": "^4.1.3",
+    "tough-cookie": "^4.1.4",
     "ts-loader": "^7.0.5",
     "ts-morph": "^11.0.0",
     "tsd": "^0.20.0",

src/setup_node_env/harden/child_process.js

@@ -32,31 +32,34 @@ new ritm.Hook(['child_process'], function (cp) {
 function patchOptions(hasArgs) {
   return function apply(target, thisArg, args) {
     var pos = 1;
-    if (pos === args.length) {
+    var newArgs = Object.setPrototypeOf([].concat(args), null);
+
+    if (pos === newArgs.length) {
       // fn(arg1)
-      args[pos] = prototypelessSpawnOpts();
-    } else if (pos < args.length) {
-      if (hasArgs && (Array.isArray(args[pos]) || args[pos] == null)) {
+      newArgs[pos] = prototypelessSpawnOpts();
+    } else if (pos < newArgs.length) {
+      if (hasArgs && (Array.isArray(newArgs[pos]) || newArgs[pos] == null)) {
         // fn(arg1, args, ...)
         pos++;
       }
 
-      if (typeof args[pos] === 'object' && args[pos] !== null) {
+      if (typeof newArgs[pos] === 'object' && newArgs[pos] !== null) {
         // fn(arg1, {}, ...)
         // fn(arg1, args, {}, ...)
-        args[pos] = prototypelessSpawnOpts(args[pos]);
-      } else if (args[pos] == null) {
+        newArgs[pos] = prototypelessSpawnOpts(newArgs[pos]);
+      } else if (newArgs[pos] == null) {
         // fn(arg1, null/undefined, ...)
         // fn(arg1, args, null/undefined, ...)
-        args[pos] = prototypelessSpawnOpts();
-      } else if (typeof args[pos] === 'function') {
+        newArgs[pos] = prototypelessSpawnOpts();
+      } else if (typeof newArgs[pos] === 'function') {
         // fn(arg1, callback)
         // fn(arg1, args, callback)
-        args.splice(pos, 0, prototypelessSpawnOpts());
+        // `newArgs` doesn't have prototype and hence `splice` method anymore.
+        Array.prototype.splice.call(newArgs, pos, 0, prototypelessSpawnOpts());
       }
     }
 
-    return target.apply(thisArg, args);
+    return target.apply(thisArg, newArgs);
   };
 }
 

test/functional/services/common/browser.ts

@@ -49,7 +49,10 @@ class BrowserService extends FtrService {
    * https://seleniumhq.github.io/selenium/docs/api/javascript/module/selenium-webdriver/lib/webdriver_exports_WebDriver.html#actions
    */
   public getActions() {
-    return this.driver.actions();
+    return this.driver.actions({
+      async: undefined,
+      bridge: undefined,
+    });
   }
 
   /**

test/functional/services/lib/web_element_wrapper/web_element_wrapper.ts

@@ -130,7 +130,10 @@ export class WebElementWrapper {
   }
 
   private getActions() {
-    return this.driver.actions();
+    return this.driver.actions({
+      async: undefined,
+      bridge: undefined,
+    });
   }
 
   /**

test/functional/services/remote/webdriver.ts

@@ -114,7 +114,7 @@ function initChromiumOptions(browserType: Browsers, acceptInsecureCerts: boolean
   }
 
   if (browserBinaryPath) {
-    options.setChromeBinaryPath(browserBinaryPath);
+    options.setBinaryPath(browserBinaryPath);
   }
 
   if (noCache === '1') {

test/harden/_node_script.js

@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+console.log('Hello from _node_script.js!');

test/harden/child_process.js

@@ -307,6 +307,50 @@ for (const name of functions) {
     assertProcess(t, cp.spawn(command, [], { env: { custom: 'custom' } }), { stdout: 'custom' });
   });
 
+  test('spawn(command, options) - prevent object prototype pollution', (t) => {
+    const pathName = path.join(__dirname, '_node_script.js');
+    const options = {};
+    const pollutedObject = {
+      env: {
+        NODE_OPTIONS: `--require ${pathName}`,
+      },
+      shell: process.argv[0],
+    };
+    // eslint-disable-next-line no-proto
+    options.__proto__['2'] = pollutedObject;
+
+    const argsArray = [];
+
+    /**
+     * Declares that 3 assertions should be run.
+     * We don't use the assertProcess function here as we need an extra assertion
+     * for the polluted prototype
+     */
+    t.plan(3);
+
+    t.deepEqual(
+      argsArray[2],
+      pollutedObject,
+      'Prototype should be polluted with the object at index 2'
+    );
+
+    const stdout = '';
+
+    const cmd = cp.spawn(command, argsArray);
+    cmd.stdout.on('data', (data) => {
+      t.equal(data.toString().trim(), stdout);
+    });
+
+    cmd.stderr.on('data', (data) => {
+      t.fail(`Unexpected data on STDERR: "${data}"`);
+    });
+
+    cmd.on('close', (code) => {
+      t.equal(code, 0);
+      t.end();
+    });
+  });
+
   for (const unset of notSet) {
     test(`spawn(command, ${unset})`, (t) => {
       assertProcess(t, cp.spawn(command, unset));