-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ML] Various fixes for possible prototype pollution vulnerabilities #194529
[ML] Various fixes for possible prototype pollution vulnerabilities #194529
Conversation
Pinging @elastic/ml-ui (:ml) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -7,7 +7,7 @@ | |||
|
|||
export const setNestedProperty = (obj: Record<string, any>, accessor: string, value: any) => { | |||
let ref = obj; | |||
const accessors = accessor.split('.'); | |||
const accessors = accessor.split('.').filter((a) => a !== '__proto__'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we consider constructor
too? I'm unsure if we should silently ignore like now or do the check in the for loop and throw, what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated in 734ae86
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@walterra I've updated the check to throw an error now as per our offline discussion. Could you please take another look. |
💛 Build succeeded, but was flaky
Failed CI StepsTest FailuresMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
Starting backport for target branches: 8.x |
…lastic#194529) Fixes potential prototype pollution vulnerability in `setNestedProperty` function. Fixes incomplete string escaping issue in ML's saved object service. (cherry picked from commit d1f24b0)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…ties (#194529) (#194660) # Backport This will backport the following commits from `main` to `8.x`: - [[ML] Various fixes for possible prototype pollution vulnerabilities (#194529)](#194529) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"James Gowdy","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-02T07:47:19Z","message":"[ML] Various fixes for possible prototype pollution vulnerabilities (#194529)\n\nFixes potential prototype pollution vulnerability in `setNestedProperty`\r\nfunction.\r\nFixes incomplete string escaping issue in ML's saved object service.","sha":"d1f24b050b53cc7b13fbc47b6de3c5f69606e88e","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix",":ml","v9.0.0","v8.16.0","backport:version"],"title":"[ML] Various fixes for possible prototype pollution vulnerabilities","number":194529,"url":"https://github.com/elastic/kibana/pull/194529","mergeCommit":{"message":"[ML] Various fixes for possible prototype pollution vulnerabilities (#194529)\n\nFixes potential prototype pollution vulnerability in `setNestedProperty`\r\nfunction.\r\nFixes incomplete string escaping issue in ML's saved object service.","sha":"d1f24b050b53cc7b13fbc47b6de3c5f69606e88e"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194529","number":194529,"mergeCommit":{"message":"[ML] Various fixes for possible prototype pollution vulnerabilities (#194529)\n\nFixes potential prototype pollution vulnerability in `setNestedProperty`\r\nfunction.\r\nFixes incomplete string escaping issue in ML's saved object service.","sha":"d1f24b050b53cc7b13fbc47b6de3c5f69606e88e"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: James Gowdy <[email protected]>
Fixes potential prototype pollution vulnerability in
setNestedProperty
function.Fixes incomplete string escaping issue in ML's saved object service.