From 6884fd1275e78df79462d419b76469985f85880d Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Tue, 9 Jan 2024 12:38:30 -0500
Subject: [PATCH] [8.12] Fix issue with KQL wildcard queries not properly
 escaping backslashes (#174464) (#174533)

# Backport

This will backport the following commits from `main` to `8.12`:
- [Fix issue with KQL wildcard queries not properly escaping backslashes
(#174464)](https://github.com/elastic/kibana/pull/174464)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Lukas
Olson","email":"lukas@elastic.co"},"sourceCommit":{"committedDate":"2024-01-09T16:24:12Z","message":"Fix
issue with KQL wildcard queries not properly escaping backslashes
(#174464)\n\n## Summary\r\n\r\nFixes
https://github.com/elastic/kibana/issues/169709.\r\n\r\nPrior to this
PR, KQL queries against keyword fields would not properly\r\nhandle
escaped special characters (such as backslash). This PR fixes
the\r\nbehavior to properly re-escape special characters before sending
them\r\nalong to the wildcard query.\r\n\r\n### Checklist\r\n\r\n- [x]
[Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n### Release
note\r\n\r\nKQL queries against wildcards now properly handle escaped
special\r\ncharacters without requiring
double-escaping.\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>","sha":"46fbfd3b13c80d49e51b6b1541fecebb7c628e02","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Feature:KQL","Team:DataDiscovery","v8.12.1","v8.13.0"],"title":"Fix
issue with KQL wildcard queries not properly escaping
backslashes","number":174464,"url":"https://github.com/elastic/kibana/pull/174464","mergeCommit":{"message":"Fix
issue with KQL wildcard queries not properly escaping backslashes
(#174464)\n\n## Summary\r\n\r\nFixes
https://github.com/elastic/kibana/issues/169709.\r\n\r\nPrior to this
PR, KQL queries against keyword fields would not properly\r\nhandle
escaped special characters (such as backslash). This PR fixes
the\r\nbehavior to properly re-escape special characters before sending
them\r\nalong to the wildcard query.\r\n\r\n### Checklist\r\n\r\n- [x]
[Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n### Release
note\r\n\r\nKQL queries against wildcards now properly handle escaped
special\r\ncharacters without requiring
double-escaping.\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>","sha":"46fbfd3b13c80d49e51b6b1541fecebb7c628e02"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","branchLabelMappingKey":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/174464","number":174464,"mergeCommit":{"message":"Fix
issue with KQL wildcard queries not properly escaping backslashes
(#174464)\n\n## Summary\r\n\r\nFixes
https://github.com/elastic/kibana/issues/169709.\r\n\r\nPrior to this
PR, KQL queries against keyword fields would not properly\r\nhandle
escaped special characters (such as backslash). This PR fixes
the\r\nbehavior to properly re-escape special characters before sending
them\r\nalong to the wildcard query.\r\n\r\n### Checklist\r\n\r\n- [x]
[Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n### Release
note\r\n\r\nKQL queries against wildcards now properly handle escaped
special\r\ncharacters without requiring
double-escaping.\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>","sha":"46fbfd3b13c80d49e51b6b1541fecebb7c628e02"}}]}]
BACKPORT-->

Co-authored-by: Lukas Olson <lukas@elastic.co>
---
 .../src/kuery/functions/is.test.ts            | 23 +++++++++++++++++++
 .../kbn-es-query/src/kuery/functions/is.ts    |  2 +-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/packages/kbn-es-query/src/kuery/functions/is.test.ts b/packages/kbn-es-query/src/kuery/functions/is.test.ts
index a19c951c184a9..5b52eff548ed3 100644
--- a/packages/kbn-es-query/src/kuery/functions/is.test.ts
+++ b/packages/kbn-es-query/src/kuery/functions/is.test.ts
@@ -253,6 +253,29 @@ describe('kuery functions', () => {
         expect(result).toEqual(expected);
       });
 
+      test('should create a wildcard query with backslashes properly escaped', () => {
+        const expected = {
+          bool: {
+            should: [
+              {
+                wildcard: {
+                  'machine.os.keyword': { value: '*\\\\*' },
+                },
+              },
+            ],
+            minimum_should_match: 1,
+          },
+        };
+        const node = nodeTypes.function.buildNode(
+          'is',
+          'machine.os.keyword',
+          '*\\\\*'
+        ) as KqlIsFunctionNode;
+        const result = is.toElasticsearchQuery(node, indexPattern);
+
+        expect(result).toEqual(expected);
+      });
+
       test('should support scripted fields', () => {
         const node = nodeTypes.function.buildNode(
           'is',
diff --git a/packages/kbn-es-query/src/kuery/functions/is.ts b/packages/kbn-es-query/src/kuery/functions/is.ts
index 55bce74973741..46a6acfc56ff9 100644
--- a/packages/kbn-es-query/src/kuery/functions/is.ts
+++ b/packages/kbn-es-query/src/kuery/functions/is.ts
@@ -159,7 +159,7 @@ export function toElasticsearchQuery(
         ? {
             wildcard: {
               [field.name]: {
-                value,
+                value: wildcard.toQueryStringQuery(valueArg),
                 ...(typeof config.caseInsensitive === 'boolean' && {
                   case_insensitive: config.caseInsensitive,
                 }),