Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/master' into tgrid-bulk-action…
Browse files Browse the repository at this point in the history
…s-rbac-update
  • Loading branch information
semd committed Aug 13, 2021
2 parents 1710bf3 + 8cc5f49 commit 22a85ea
Show file tree
Hide file tree
Showing 436 changed files with 9,294 additions and 4,922 deletions.
2 changes: 1 addition & 1 deletion .ci/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# NOTE: This Dockerfile is ONLY used to run certain tasks in CI. It is not used to run Kibana or as a distributable.
# If you're looking for the Kibana Docker image distributable, please see: src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts

ARG NODE_VERSION=14.17.3
ARG NODE_VERSION=14.17.5

FROM node:${NODE_VERSION} AS base

Expand Down
1 change: 1 addition & 0 deletions .eslintignore
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ snapshots.js
/x-pack/plugins/canvas/shareable_runtime/build
/x-pack/plugins/canvas/storybook/build
/x-pack/plugins/reporting/server/export_types/printable_pdf/server/lib/pdf/assets/**
/x-pack/plugins/reporting/server/export_types/printable_pdf_v2/server/lib/pdf/assets/**

# package overrides
/packages/elastic-eslint-config-kibana
Expand Down
8 changes: 8 additions & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,8 @@
/x-pack/plugins/observability/public/components/shared/exploratory_view @elastic/uptime
/x-pack/test/functional_with_es_ssl/apps/uptime @elastic/uptime
/x-pack/test/functional/apps/uptime @elastic/uptime
/x-pack/test/functional/es_archives/uptime @elastic/uptime
/x-pack/test/functional/services/uptime @elastic/uptime
/x-pack/test/api_integration/apis/uptime @elastic/uptime

# Client Side Monitoring / Uptime (lives in APM directories but owned by Uptime)
Expand All @@ -123,6 +125,12 @@

# Presentation
/src/plugins/dashboard/ @elastic/kibana-presentation
/src/plugins/expression_error/ @elastic/kibana-presentation
/src/plugins/expression_image/ @elastic/kibana-presentation
/src/plugins/expression_metric/ @elastic/kibana-presentation
/src/plugins/expression_repeat_image/ @elastic/kibana-presentation
/src/plugins/expression_reveal_image/ @elastic/kibana-presentation
/src/plugins/expression_shape/ @elastic/kibana-presentation
/src/plugins/input_control_vis/ @elastic/kibana-presentation
/src/plugins/vis_type_markdown/ @elastic/kibana-presentation
/src/plugins/presentation_util/ @elastic/kibana-presentation
Expand Down
2 changes: 1 addition & 1 deletion .node-version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
14.17.3
14.17.5
2 changes: 1 addition & 1 deletion .nvmrc
Original file line number Diff line number Diff line change
@@ -1 +1 @@
14.17.3
14.17.5
12 changes: 6 additions & 6 deletions WORKSPACE.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,13 @@ check_rules_nodejs_version(minimum_version_string = "3.7.0")
# we can update that rule.
node_repositories(
node_repositories = {
"14.17.3-darwin_amd64": ("node-v14.17.3-darwin-x64.tar.gz", "node-v14.17.3-darwin-x64", "522f85db1d1fe798cba5f601d1bba7b5203ca8797b2bc934ff6f24263f0b7fb2"),
"14.17.3-linux_arm64": ("node-v14.17.3-linux-arm64.tar.xz", "node-v14.17.3-linux-arm64", "80f4143d3c2d4cf3c4420eea3202c7bf16788b0a72fd512e60bfc8066a08a51c"),
"14.17.3-linux_s390x": ("node-v14.17.3-linux-s390x.tar.xz", "node-v14.17.3-linux-s390x", "4f69c30732f94189b9ab98f3100b17f1e4db2000848d56064e887be1c28e81ae"),
"14.17.3-linux_amd64": ("node-v14.17.3-linux-x64.tar.xz", "node-v14.17.3-linux-x64", "d659d78144042a1801f35dd611d0fab137e841cde902b2c6a821163a5e36f105"),
"14.17.3-windows_amd64": ("node-v14.17.3-win-x64.zip", "node-v14.17.3-win-x64", "170fb4f95539d1d7e1295fb2556cb72bee352cdf81a02ffb16cf6d50ad2fefbf"),
"14.17.5-darwin_amd64": ("node-v14.17.5-darwin-x64.tar.gz", "node-v14.17.5-darwin-x64", "2e40ab625b45b9bdfcb963ddd4d65d87ddf1dd37a86b6f8b075cf3d77fe9dc09"),
"14.17.5-linux_arm64": ("node-v14.17.5-linux-arm64.tar.xz", "node-v14.17.5-linux-arm64", "3a2e674b6db50dfde767c427e8f077235bbf6f9236e1b12a4cc3496b12f94bae"),
"14.17.5-linux_s390x": ("node-v14.17.5-linux-s390x.tar.xz", "node-v14.17.5-linux-s390x", "7d40eee3d54241403db12fb3bc420cd776e2b02e89100c45cf5e74a73942e7f6"),
"14.17.5-linux_amd64": ("node-v14.17.5-linux-x64.tar.xz", "node-v14.17.5-linux-x64", "2d759de07a50cd7f75bd73d67e97b0d0e095ee3c413efac7d1b3d1e84ed76fff"),
"14.17.5-windows_amd64": ("node-v14.17.5-win-x64.zip", "node-v14.17.5-win-x64", "a99b7ee08e846e5d1f4e70c4396265542819d79ed9cebcc27760b89571f03cbf"),
},
node_version = "14.17.3",
node_version = "14.17.5",
node_urls = [
"https://nodejs.org/dist/v{version}/{filename}",
],
Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
108 changes: 55 additions & 53 deletions dev_docs/best_practices.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,10 @@ Refer to [divio documentation](https://documentation.divio.com/) for guidance on

<DocLink id="kibDevDocsWelcome" text="Getting started" /> and
<DocLink id="kibPlatformIntro" text="Key concepts" /> sections are both _explanation_ oriented,
<DocLink id="kibDevTutorialBuildAPlugin" text="Tutorials" /> covers both _tutorials_ and _How to_, and
the <DocLink id="kibDevDocsApiWelcome" text="API documentation" /> section covers _reference_ material.
<DocLink id="kibDevTutorialDebugging" text="Tutorials" /> covers both _tutorials_ and _How to_, and the <DocLink
id="kibDevDocsApiWelcome"
text="API documentation"
/> section covers _reference_ material.

#### Location

Expand Down Expand Up @@ -256,17 +258,17 @@ links](https://elastic.github.io/eui/#/navigation/link#link-validation), and a r

**Best practices**

* Check for dangerous functions or assignments that can result in unescaped user input in the browser DOM. Avoid using:
* **React:** [`dangerouslySetInnerHtml`](https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml).
* **Browser DOM:** `Element.innerHTML` and `Element.outerHTML`.
* If using the aforementioned unsafe functions or assignments is absolutely necessary, follow [these XSS prevention
rules](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#xss-prevention-rules) to ensure that
user input is not inserted into unsafe locations and that it is escaped properly.
* Use EUI components to build your UI, particularly when rendering `href` links. Otherwise, sanitize user input before rendering links to
ensure that they do not use the `javascript:` protocol.
* Don't use the `eval`, `Function`, and `_.template` functions -- these are restricted by ESLint rules.
* Be careful when using `setTimeout` and `setInterval` in client-side code. If an attacker can manipulate the arguments and pass a string to
one of these, it is evaluated dynamically, which is equivalent to the dangerous `eval` function.
- Check for dangerous functions or assignments that can result in unescaped user input in the browser DOM. Avoid using:
- **React:** [`dangerouslySetInnerHtml`](https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml).
- **Browser DOM:** `Element.innerHTML` and `Element.outerHTML`.
- If using the aforementioned unsafe functions or assignments is absolutely necessary, follow [these XSS prevention
rules](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#xss-prevention-rules) to ensure that
user input is not inserted into unsafe locations and that it is escaped properly.
- Use EUI components to build your UI, particularly when rendering `href` links. Otherwise, sanitize user input before rendering links to
ensure that they do not use the `javascript:` protocol.
- Don't use the `eval`, `Function`, and `_.template` functions -- these are restricted by ESLint rules.
- Be careful when using `setTimeout` and `setInterval` in client-side code. If an attacker can manipulate the arguments and pass a string to
one of these, it is evaluated dynamically, which is equivalent to the dangerous `eval` function.

### Cross-Site Request Forgery (CSRF/XSRF)

Expand All @@ -280,10 +282,10 @@ Headers](https://www.elastic.co/guide/en/kibana/master/api.html#api-request-head

**Best practices**

* Ensure all HTTP routes are registered with the [Kibana HTTP service](https://www.elastic.co/guide/en/kibana/master/http-service.html) to
take advantage of the custom request header security control.
* Note that HTTP GET requests do **not** require the custom request header; any routes that change data should [adhere to the HTTP
specification and use a different method (PUT, POST, etc.)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
- Ensure all HTTP routes are registered with the [Kibana HTTP service](https://www.elastic.co/guide/en/kibana/master/http-service.html) to
take advantage of the custom request header security control.
- Note that HTTP GET requests do **not** require the custom request header; any routes that change data should [adhere to the HTTP
specification and use a different method (PUT, POST, etc.)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)

### Remote Code Execution (RCE)

Expand All @@ -295,11 +297,11 @@ ESLint rules to restrict vulnerable functions, and by hooking into or hardening

**Best practices**

* Don't use the `eval`, `Function`, and `_.template` functions -- these are restricted by ESLint rules.
* Don't use dynamic `require`.
* Check for usages of templating libraries. Ensure that user-provided input doesn't influence the template and is used only as data for
rendering the template.
* Take extra caution when spawning child processes with any user input or parameters that are user-controlled.
- Don't use the `eval`, `Function`, and `_.template` functions -- these are restricted by ESLint rules.
- Don't use dynamic `require`.
- Check for usages of templating libraries. Ensure that user-provided input doesn't influence the template and is used only as data for
rendering the template.
- Take extra caution when spawning child processes with any user input or parameters that are user-controlled.

### Prototype Pollution

Expand All @@ -309,26 +311,26 @@ hardening sensitive functions (such as those exposed by `child_process`), and by

**Best practices**

* Check for instances of `anObject[a][b] = c` where `a`, `b`, and `c` are controlled by user input. This includes code paths where the
following logical code steps could be performed in separate files by completely different operations, or by recursively using dynamic
operations.
* Validate all user input, including API URL parameters, query parameters, and payloads. Preferably, use a schema that only allows specific
keys and values. At a minimum, implement a deny-list that prevents `__proto__` and `prototype.constructor` from being used within object
keys.
* When calling APIs that spawn new processes or perform code generation from strings, protect against Prototype Pollution by checking if
`Object.hasOwnProperty` has arguments to the APIs that originate from an Object. An example is the defunct Code app's
[`spawnProcess`](https://github.com/elastic/kibana/blob/b49192626a8528af5d888545fb14cd1ce66a72e7/x-pack/legacy/plugins/code/server/lsp/workspace_command.ts#L40-L44)
function.
* Common Node.js offenders: `child_process.spawn`, `child_process.exec`, `eval`, `Function('some string')`, `vm.runInContext(x)`,
`vm.runInNewContext(x)`, `vm.runInThisContext()`
* Common client-side offenders: `eval`, `Function('some string')`, `setTimeout('some string', num)`, `setInterval('some string', num)`
- Check for instances of `anObject[a][b] = c` where `a`, `b`, and `c` are controlled by user input. This includes code paths where the
following logical code steps could be performed in separate files by completely different operations, or by recursively using dynamic
operations.
- Validate all user input, including API URL parameters, query parameters, and payloads. Preferably, use a schema that only allows specific
keys and values. At a minimum, implement a deny-list that prevents `__proto__` and `prototype.constructor` from being used within object
keys.
- When calling APIs that spawn new processes or perform code generation from strings, protect against Prototype Pollution by checking if
`Object.hasOwnProperty` has arguments to the APIs that originate from an Object. An example is the defunct Code app's
[`spawnProcess`](https://github.com/elastic/kibana/blob/b49192626a8528af5d888545fb14cd1ce66a72e7/x-pack/legacy/plugins/code/server/lsp/workspace_command.ts#L40-L44)
function.
- Common Node.js offenders: `child_process.spawn`, `child_process.exec`, `eval`, `Function('some string')`, `vm.runInContext(x)`,
`vm.runInNewContext(x)`, `vm.runInThisContext()`
- Common client-side offenders: `eval`, `Function('some string')`, `setTimeout('some string', num)`, `setInterval('some string', num)`

See also:

* [Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications |
portswigger.net](https://portswigger.net/daily-swig/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications)
* [Prototype pollution attack in NodeJS application | Olivier
Arteau](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)
- [Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications |
portswigger.net](https://portswigger.net/daily-swig/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications)
- [Prototype pollution attack in NodeJS application | Olivier
Arteau](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)

### Server-Side Request Forgery (SSRF)

Expand All @@ -339,12 +341,12 @@ a vector for information disclosure or injection attacks.

**Best practices**

* Ensure that all outbound requests from the Kibana server use hard-coded URLs.
* If user input is used to construct a URL for an outbound request, ensure that an allow-list is used to validate the endpoints and that
user input is escaped properly. Ideally, the allow-list should be set in `kibana.yml`, so only server administrators can change it.
* This is particularly relevant when using `transport.request` with the Elasticsearch client, as no automatic escaping is performed.
* Note that URLs are very hard to validate properly; exact match validation for user input is most preferable, while URL parsing or RegEx
validation should only be used if absolutely necessary.
- Ensure that all outbound requests from the Kibana server use hard-coded URLs.
- If user input is used to construct a URL for an outbound request, ensure that an allow-list is used to validate the endpoints and that
user input is escaped properly. Ideally, the allow-list should be set in `kibana.yml`, so only server administrators can change it.
- This is particularly relevant when using `transport.request` with the Elasticsearch client, as no automatic escaping is performed.
- Note that URLs are very hard to validate properly; exact match validation for user input is most preferable, while URL parsing or RegEx
validation should only be used if absolutely necessary.

### Reverse tabnabbing

Expand All @@ -356,10 +358,10 @@ buttons, and other vulnerable DOM elements.

**Best practices**

* Use EUI components to build your UI whenever possible. Otherwise, ensure that any DOM elements that have an `href` attribute also have the
`rel="noreferrer noopener"` attribute specified. For more information, refer to the [OWASP HTML5 Security Cheat
Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md#tabnabbing).
* If using a non-EUI markdown renderer, use a custom link renderer for rendered links.
- Use EUI components to build your UI whenever possible. Otherwise, ensure that any DOM elements that have an `href` attribute also have the
`rel="noreferrer noopener"` attribute specified. For more information, refer to the [OWASP HTML5 Security Cheat
Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md#tabnabbing).
- If using a non-EUI markdown renderer, use a custom link renderer for rendered links.

### Information disclosure

Expand All @@ -370,7 +372,7 @@ control, but at a high level, Kibana relies on the hapi framework to automatical

**Best practices**

* Look for instances where sensitive information might accidentally be revealed, particularly in error messages, in the UI, and URL
parameters that are exposed to users.
* Make sure that sensitive request data is not forwarded to external resources. For example, copying client request headers and using them
to make an another request could accidentally expose the user's credentials.
- Look for instances where sensitive information might accidentally be revealed, particularly in error messages, in the UI, and URL
parameters that are exposed to users.
- Make sure that sensitive request data is not forwarded to external resources. For example, copying client request headers and using them
to make an another request could accidentally expose the user's credentials.
37 changes: 37 additions & 0 deletions dev_docs/getting_started/add_data.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
---
id: kibDevAddData
slug: /kibana-dev-docs/tutorial/sample-data
title: Add data
summary: Learn how to add data to Kibana
date: 2021-08-11
tags: ['kibana', 'onboarding', 'dev', 'architecture', 'tutorials']
---

Building a feature and need an easy way to test it out with some data? Below are three options.

## 1. Add Sample Data from the UI

Kibana ships with sample data that you can install at the click of the button. If you are building a feature and need some data to test it out with, sample data is a great option. The only limitation is that this data will not work for Security or Observability solutions (see [#62962](https://github.com/elastic/kibana/issues/62962)).

1. Navigate to the home page.
2. Click **Add data**.
3. Click on the **Sample data** tab.
4. Select a dataset by clicking on the **Add data** button.

![Sample Data](../assets/sample_data.png)

## CSV Upload

1. If you don't have any data, navigate to Stack Management > Index Patterns and click the link to the uploader. If you do have data, navigate to the **Machine Learning** application.
2. Click on the **Data Visualizer** tab.
3. Click on **Select file** in the **Import data** container.

![CSV Upload](../assets/ml_csv_upload.png)

## makelogs

The makelogs script generates sample web server logs. Make sure Elasticsearch is running before running the script.

```sh
node scripts/makelogs --auth <username>:<password>
```
3 changes: 2 additions & 1 deletion dev_docs/getting_started/dev_welcome.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@ Kibana ships with many out-of-the-box capabilities that can be extended and enha
Recommended next reading:

1. <DocLink id="kibDevTutorialSetupDevEnv" text="Set up your development environment" />
2. Create a simple <DocLink id="kibHelloWorldApp" text="Hello World plugin"/>.
2. Create a <DocLink id="kibHelloWorldApp" text="Hello World plugin"/>.
3. <DocLink id="kibDevAddData" text="Add data" />.

Check out our <DocLink id="kibDevDocsApiWelcome" text="API documentation" /> to dig into the nitty gritty details of
every public plugin API.
16 changes: 9 additions & 7 deletions dev_docs/getting_started/hello_world_plugin.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ $ mkdir hello_world
$ cd hello_world
```

2. Create the <DocLink id="kibDevTutorialBuildAPlugin" section="1-kibanajson" text="kibana.json manifest file"/>.
2. Create the <DocLink id="kibDevAnatomyOfAPlugin" section="kibanajson" text="kibana.json manifest file"/>.

```
$ touch kibana.json
Expand All @@ -44,7 +44,7 @@ and add the following:
}
```

3. Create a `tsconfig.json` file.
3. Create a <DocLink id="kibDevAnatomyOfAPlugin" section="tsconfigjson" text="tsconfig.json file" />.

```
$ touch tsconfig.json
Expand All @@ -56,8 +56,7 @@ And add the following to it:
{
"extends": "../../tsconfig.json",
"compilerOptions": {
"outDir": "./target",
"skipLibCheck": true
"outDir": "./target/types",
},
"include": [
"index.ts",
Expand All @@ -67,11 +66,14 @@ And add the following to it:
"server/**/*.ts",
"../../typings/**/*"
],
"exclude": []
"exclude": [],
"references": [
{ "path": "../../src/core/tsconfig.json" }
]
}
```

4. Create a <DocLink id="kibDevTutorialBuildAPlugin" section="2-publicindexts" text="`public/plugin.tsx` file "/>.
4. Create a <DocLink id="kibDevAnatomyOfAPlugin" section="publicindexts" text="`public/plugin.tsx` file "/>.

```
$ mkdir public
Expand Down Expand Up @@ -104,7 +106,7 @@ export class HelloWorldPlugin implements Plugin {
}
```

5. Create a <DocLink id="kibDevTutorialBuildAPlugin" section="3-publicplugints" text="`public/index.ts` file "/>.
5. Create a <DocLink id="kibDevAnatomyOfAPlugin" section="publicplugints" text="`public/index.ts` file "/>.

```
$ touch index.ts
Expand Down
Loading

0 comments on commit 22a85ea

Please sign in to comment.