-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NP Router handler doesn't provide to request body on validate: false #44170
Comments
Whether or not you use validation shouldn't affect how you access the request objects (query, params, body). It should only control whether or not you validated the request objects. Setting |
Pinging @elastic/kibana-platform |
Validating incoming data provides us pretty great protection against prototype pollution attacks. I'm not sure if was the rationale for requiring it or not, but it seems like a pretty good reason to me. I agree there should be a way to opt out and
It should be noted that |
The current implementation was done at my request, for the reasons which @joshdover articulated. One of the best defenses against prototype pollution is requiring the user's input to match a strict schema. We've historically had routes which allowed free-form user input which was then used with a vulnerable recursive algorithm like We really shouldn't be using the user's input "as-is" without validation. If there's a specific use-case this enables which I just haven't thought of, please do bring it up. It certainly makes my life easier if we standardize on a validation library as it makes linting/static-analysis for "non-strict" validation on routes easier to detect. Are there specific features which If we do end up allowing route definitions to skip the validation, I'd prefer we name the setting something painfully obvious like "dangerouslySkipValidation". This makes it more obvious to the author that this is a dangerous operation, and makes it easier for us to "grep" for usages. |
Aren't GET requests effectively exempt from this since they have the e.g. my
and the handler would get this in
The plugin I'm writing is new and still rather small, so the conversion isn't a concern for me. However, the @elastic/infra-logs-ui team has some My goal is to describe the validation in one place and use that description as (directly or as part of some pipeline) a) validation schema b) TypeScript type/interface c) JSON Schema and/or OpenAPI spec. I had some discussion about this in #36674 (comment) and did some exploration in #40041. I see a way to do that with both
so hopefully |
That's a good point. I'm not super excited to restrict access to |
I don't have all of the context but: On APM we've ditched joi and are using io-ts for runtime and compile time checks. Works great 👍 I don't assume this is going to be a problem in NP? |
I agree that we should be requiring some sort of validation. The most flexible API would be to just require a validation function, but that is open to "abuse" with something like As far as I can tell |
Agree. It provides a good balance between security, ease of use and speed of migration.
|
Just want to add my $0.02 about
|
Another vote from my side for leaving the option to use other validation methods in general and io-ts in particular. We use it for full validation of the elasticsearch - kibana - browser communication with the io-ts type as the single source of truth. |
My 0.05₽ as well:
Even though it's good to know, it may not matter too much to consumers if it's done under the hood in
That's a good point and one of the reasons why we wanted to abstract away from But I'm curious how real this use case is already, do you have any immediate need in sharing schemas you define on your server-side routes and use on client-side for something else?
I see your point, but I'm really afraid of fragmenting our HTTP request validation infrastructure. If we find an issue in Another thing that may be problematic in using
That's quite easy to implement in Having said that I'd be glad if we replace re: validate: { body: schema.object({}, { allowUnknowns: true }) } We can probably allow using |
That is the title/purpose of the original ticket, but the the discussion has grown to something larger. I'm ok with closing this ticket with "works as intended" and letting teams use the However, I think the discussion that began here around the current/future use of |
Kibana version:
master
/0150c8e
Elasticsearch version:
8.0.0-SNAPSHOT
Problem
When using the NP router for POST routes, the request handler doesn't appear to have access to the request body when
validate: false
is suppliedSteps to reproduce
Observed
logs
return value from /b
to terminal making request andin server logs (no request body that I can find)
Expected
Some way to access the request body. Whether to validate independently or simply to use it as-is.
Further discussion
Reading the notes
kibana/src/core/server/http/router/route.ts
Lines 65 to 87 in d394ded
There are many reasons why one might set
validate: false
. For example, if they already have a validation library likeio-ts
orjoi
and they want the NP router/handler without also having convert to their models to@kbn/config-schema
. Settingvalidate: false
and moving the validation to the handler allows for an incremental move to NP, droppinghapi
orKbnServer
without also having to give up what they like about their validation library.In my opinion, it's reasonable to say, if you want these additional features (e.g. validation and
request.{query,params,body}
properties) you must use this pattern, but I don't think it's helpful to prevent all other ways to accomplish the task (processing the POST) request.For example, in
GET
request handlers, therequest.{query,params,body}
parameters are also empty objects{}
, but there is a WhatWG URL instance that can be used. It's present in thePOST
request above as well. This way, developers can opt-out of validation, but still achieve their goal.There are a number of possible solutions to this approach, but I think the most important thing is to provide some way to access the request body when not using
@kbn/config-schema
The text was updated successfully, but these errors were encountered: