Merge branch 'master' into execution-ctx-disable

mshustov · Aug 16, 2021 · 5336d3e · 5336d3e
2 parents 5385435 + 7888c9c
commit 5336d3e
Show file tree

Hide file tree

Showing 1,109 changed files with 27,430 additions and 12,579 deletions.
diff --git a/.ci/Dockerfile b/.ci/Dockerfile
@@ -1,7 +1,7 @@
 # NOTE: This Dockerfile is ONLY used to run certain tasks in CI. It is not used to run Kibana or as a distributable.
 # If you're looking for the Kibana Docker image distributable, please see: src/dev/build/tasks/os_packages/docker_generator/templates/dockerfile.template.ts
 
-ARG NODE_VERSION=14.17.3
+ARG NODE_VERSION=14.17.5
 
 FROM node:${NODE_VERSION} AS base
 

diff --git a/.eslintignore b/.eslintignore
@@ -27,6 +27,7 @@ snapshots.js
 /x-pack/plugins/canvas/shareable_runtime/build
 /x-pack/plugins/canvas/storybook/build
 /x-pack/plugins/reporting/server/export_types/printable_pdf/server/lib/pdf/assets/**
+/x-pack/plugins/reporting/server/export_types/printable_pdf_v2/server/lib/pdf/assets/**
 
 # package overrides
 /packages/elastic-eslint-config-kibana

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -125,6 +125,12 @@
 
 # Presentation
 /src/plugins/dashboard/ @elastic/kibana-presentation
+/src/plugins/expression_error/ @elastic/kibana-presentation
+/src/plugins/expression_image/ @elastic/kibana-presentation
+/src/plugins/expression_metric/ @elastic/kibana-presentation
+/src/plugins/expression_repeat_image/ @elastic/kibana-presentation
+/src/plugins/expression_reveal_image/ @elastic/kibana-presentation
+/src/plugins/expression_shape/ @elastic/kibana-presentation
 /src/plugins/input_control_vis/ @elastic/kibana-presentation
 /src/plugins/vis_type_markdown/ @elastic/kibana-presentation
 /src/plugins/presentation_util/ @elastic/kibana-presentation

diff --git a/.node-version b/.node-version
@@ -1 +1 @@
-14.17.3
+14.17.5
diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-14.17.3
+14.17.5
diff --git a/WORKSPACE.bazel b/WORKSPACE.bazel
@@ -10,15 +10,15 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 # Fetch Node.js rules
 http_archive(
   name = "build_bazel_rules_nodejs",
-  sha256 = "8f5f192ba02319254aaf2cdcca00ec12eaafeb979a80a1e946773c520ae0a2c9",
-  urls = ["https://github.com/bazelbuild/rules_nodejs/releases/download/3.7.0/rules_nodejs-3.7.0.tar.gz"],
+  sha256 = "e79c08a488cc5ac40981987d862c7320cee8741122a2649e9b08e850b6f20442",
+  urls = ["https://github.com/bazelbuild/rules_nodejs/releases/download/3.8.0/rules_nodejs-3.8.0.tar.gz"],
 )
 
 # Now that we have the rules let's import from them to complete the work
 load("@build_bazel_rules_nodejs//:index.bzl", "check_rules_nodejs_version", "node_repositories", "yarn_install")
 
 # Assure we have at least a given rules_nodejs version
-check_rules_nodejs_version(minimum_version_string = "3.7.0")
+check_rules_nodejs_version(minimum_version_string = "3.8.0")
 
 # Setup the Node.js toolchain for the architectures we want to support
 #
@@ -27,13 +27,13 @@ check_rules_nodejs_version(minimum_version_string = "3.7.0")
 # we can update that rule.
 node_repositories(
   node_repositories = {
-    "14.17.3-darwin_amd64": ("node-v14.17.3-darwin-x64.tar.gz", "node-v14.17.3-darwin-x64", "522f85db1d1fe798cba5f601d1bba7b5203ca8797b2bc934ff6f24263f0b7fb2"),
-    "14.17.3-linux_arm64": ("node-v14.17.3-linux-arm64.tar.xz", "node-v14.17.3-linux-arm64", "80f4143d3c2d4cf3c4420eea3202c7bf16788b0a72fd512e60bfc8066a08a51c"),
-    "14.17.3-linux_s390x": ("node-v14.17.3-linux-s390x.tar.xz", "node-v14.17.3-linux-s390x", "4f69c30732f94189b9ab98f3100b17f1e4db2000848d56064e887be1c28e81ae"),
-    "14.17.3-linux_amd64": ("node-v14.17.3-linux-x64.tar.xz", "node-v14.17.3-linux-x64", "d659d78144042a1801f35dd611d0fab137e841cde902b2c6a821163a5e36f105"),
-    "14.17.3-windows_amd64": ("node-v14.17.3-win-x64.zip", "node-v14.17.3-win-x64", "170fb4f95539d1d7e1295fb2556cb72bee352cdf81a02ffb16cf6d50ad2fefbf"),
+    "14.17.5-darwin_amd64": ("node-v14.17.5-darwin-x64.tar.gz", "node-v14.17.5-darwin-x64", "2e40ab625b45b9bdfcb963ddd4d65d87ddf1dd37a86b6f8b075cf3d77fe9dc09"),
+    "14.17.5-linux_arm64": ("node-v14.17.5-linux-arm64.tar.xz", "node-v14.17.5-linux-arm64", "3a2e674b6db50dfde767c427e8f077235bbf6f9236e1b12a4cc3496b12f94bae"),
+    "14.17.5-linux_s390x": ("node-v14.17.5-linux-s390x.tar.xz", "node-v14.17.5-linux-s390x", "7d40eee3d54241403db12fb3bc420cd776e2b02e89100c45cf5e74a73942e7f6"),
+    "14.17.5-linux_amd64": ("node-v14.17.5-linux-x64.tar.xz", "node-v14.17.5-linux-x64", "2d759de07a50cd7f75bd73d67e97b0d0e095ee3c413efac7d1b3d1e84ed76fff"),
+    "14.17.5-windows_amd64": ("node-v14.17.5-win-x64.zip", "node-v14.17.5-win-x64", "a99b7ee08e846e5d1f4e70c4396265542819d79ed9cebcc27760b89571f03cbf"),
   },
-  node_version = "14.17.3",
+  node_version = "14.17.5",
   node_urls = [
     "https://nodejs.org/dist/v{version}/{filename}",
   ],

diff --git a/dev_docs/assets/data_view_diagram.png b/dev_docs/assets/data_view_diagram.png
diff --git a/dev_docs/assets/kibana_template_no_data_config.png b/dev_docs/assets/kibana_template_no_data_config.png
diff --git a/dev_docs/best_practices.mdx b/dev_docs/best_practices.mdx
@@ -22,8 +22,10 @@ Refer to [divio documentation](https://documentation.divio.com/) for guidance on
 
 <DocLink id="kibDevDocsWelcome" text="Getting started" /> and
 <DocLink id="kibPlatformIntro" text="Key concepts" /> sections are both _explanation_ oriented,
-<DocLink id="kibDevTutorialBuildAPlugin" text="Tutorials" /> covers both _tutorials_ and _How to_, and
-the <DocLink id="kibDevDocsApiWelcome" text="API documentation" /> section covers _reference_ material.
+<DocLink id="kibDevTutorialDebugging" text="Tutorials" /> covers both _tutorials_ and _How to_, and the <DocLink
+  id="kibDevDocsApiWelcome"
+  text="API documentation"
+/> section covers _reference_ material.
 
 #### Location
 
@@ -256,17 +258,17 @@ links](https://elastic.github.io/eui/#/navigation/link#link-validation), and a r
 
 **Best practices**
 
-* Check for dangerous functions or assignments that can result in unescaped user input in the browser DOM. Avoid using:
-  * **React:** [`dangerouslySetInnerHtml`](https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml).
-  * **Browser DOM:** `Element.innerHTML` and `Element.outerHTML`.
-* If using the aforementioned unsafe functions or assignments is absolutely necessary, follow [these XSS prevention
-rules](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#xss-prevention-rules) to ensure that
-user input is not inserted into unsafe locations and that it is escaped properly.
-* Use EUI components to build your UI, particularly when rendering `href` links. Otherwise, sanitize user input before rendering links to
-ensure that they do not use the `javascript:` protocol.
-* Don't use the `eval`, `Function`, and `_.template` functions -- these are restricted by ESLint rules.
-* Be careful when using `setTimeout` and `setInterval` in client-side code. If an attacker can manipulate the arguments and pass a string to
-one of these, it is evaluated dynamically, which is equivalent to the dangerous `eval` function.
+- Check for dangerous functions or assignments that can result in unescaped user input in the browser DOM. Avoid using:
+  - **React:** [`dangerouslySetInnerHtml`](https://reactjs.org/docs/dom-elements.html#dangerouslysetinnerhtml).
+  - **Browser DOM:** `Element.innerHTML` and `Element.outerHTML`.
+- If using the aforementioned unsafe functions or assignments is absolutely necessary, follow [these XSS prevention
+  rules](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#xss-prevention-rules) to ensure that
+  user input is not inserted into unsafe locations and that it is escaped properly.
+- Use EUI components to build your UI, particularly when rendering `href` links. Otherwise, sanitize user input before rendering links to
+  ensure that they do not use the `javascript:` protocol.
+- Don't use the `eval`, `Function`, and `_.template` functions -- these are restricted by ESLint rules.
+- Be careful when using `setTimeout` and `setInterval` in client-side code. If an attacker can manipulate the arguments and pass a string to
+  one of these, it is evaluated dynamically, which is equivalent to the dangerous `eval` function.
 
 ### Cross-Site Request Forgery (CSRF/XSRF)
 
@@ -280,10 +282,10 @@ Headers](https://www.elastic.co/guide/en/kibana/master/api.html#api-request-head
 
 **Best practices**
 
-* Ensure all HTTP routes are registered with the [Kibana HTTP service](https://www.elastic.co/guide/en/kibana/master/http-service.html) to
-take advantage of the custom request header security control.
-  * Note that HTTP GET requests do **not** require the custom request header; any routes that change data should [adhere to the HTTP
-specification and use a different method (PUT, POST, etc.)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
+- Ensure all HTTP routes are registered with the [Kibana HTTP service](https://www.elastic.co/guide/en/kibana/master/http-service.html) to
+  take advantage of the custom request header security control.
+  - Note that HTTP GET requests do **not** require the custom request header; any routes that change data should [adhere to the HTTP
+    specification and use a different method (PUT, POST, etc.)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
 
 ### Remote Code Execution (RCE)
 
@@ -295,11 +297,11 @@ ESLint rules to restrict vulnerable functions, and by hooking into or hardening
 
 **Best practices**
 
-* Don't use the `eval`, `Function`, and `_.template` functions -- these are restricted by ESLint rules.
-* Don't use dynamic `require`.
-* Check for usages of templating libraries. Ensure that user-provided input doesn't influence the template and is used only as data for
-rendering the template.
-* Take extra caution when spawning child processes with any user input or parameters that are user-controlled.
+- Don't use the `eval`, `Function`, and `_.template` functions -- these are restricted by ESLint rules.
+- Don't use dynamic `require`.
+- Check for usages of templating libraries. Ensure that user-provided input doesn't influence the template and is used only as data for
+  rendering the template.
+- Take extra caution when spawning child processes with any user input or parameters that are user-controlled.
 
 ### Prototype Pollution
 
@@ -309,26 +311,26 @@ hardening sensitive functions (such as those exposed by `child_process`), and by
 
 **Best practices**
 
-* Check for instances of `anObject[a][b] = c` where `a`, `b`, and `c` are controlled by user input. This includes code paths where the
-following logical code steps could be performed in separate files by completely different operations, or by recursively using dynamic
-operations.
-* Validate all user input, including API URL parameters, query parameters, and payloads. Preferably, use a schema that only allows specific
-keys and values. At a minimum, implement a deny-list that prevents `__proto__` and `prototype.constructor` from being used within object
-keys.
-* When calling APIs that spawn new processes or perform code generation from strings, protect against Prototype Pollution by checking if
-`Object.hasOwnProperty` has arguments to the APIs that originate from an Object. An example is the defunct Code app's
-[`spawnProcess`](https://github.com/elastic/kibana/blob/b49192626a8528af5d888545fb14cd1ce66a72e7/x-pack/legacy/plugins/code/server/lsp/workspace_command.ts#L40-L44)
-function.
-  * Common Node.js offenders: `child_process.spawn`, `child_process.exec`, `eval`, `Function('some string')`, `vm.runInContext(x)`,
-`vm.runInNewContext(x)`, `vm.runInThisContext()`
-  * Common client-side offenders: `eval`, `Function('some string')`, `setTimeout('some string', num)`, `setInterval('some string', num)`
+- Check for instances of `anObject[a][b] = c` where `a`, `b`, and `c` are controlled by user input. This includes code paths where the
+  following logical code steps could be performed in separate files by completely different operations, or by recursively using dynamic
+  operations.
+- Validate all user input, including API URL parameters, query parameters, and payloads. Preferably, use a schema that only allows specific
+  keys and values. At a minimum, implement a deny-list that prevents `__proto__` and `prototype.constructor` from being used within object
+  keys.
+- When calling APIs that spawn new processes or perform code generation from strings, protect against Prototype Pollution by checking if
+  `Object.hasOwnProperty` has arguments to the APIs that originate from an Object. An example is the defunct Code app's
+  [`spawnProcess`](https://github.com/elastic/kibana/blob/b49192626a8528af5d888545fb14cd1ce66a72e7/x-pack/legacy/plugins/code/server/lsp/workspace_command.ts#L40-L44)
+  function.
+  - Common Node.js offenders: `child_process.spawn`, `child_process.exec`, `eval`, `Function('some string')`, `vm.runInContext(x)`,
+    `vm.runInNewContext(x)`, `vm.runInThisContext()`
+  - Common client-side offenders: `eval`, `Function('some string')`, `setTimeout('some string', num)`, `setInterval('some string', num)`
 
 See also:
 
-* [Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications |
-portswigger.net](https://portswigger.net/daily-swig/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications)
-* [Prototype pollution attack in NodeJS application | Olivier
-Arteau](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)
+- [Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications |
+  portswigger.net](https://portswigger.net/daily-swig/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications)
+- [Prototype pollution attack in NodeJS application | Olivier
+  Arteau](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)
 
 ### Server-Side Request Forgery (SSRF)
 
@@ -339,12 +341,12 @@ a vector for information disclosure or injection attacks.
 
 **Best practices**
 
-* Ensure that all outbound requests from the Kibana server use hard-coded URLs.
-* If user input is used to construct a URL for an outbound request, ensure that an allow-list is used to validate the endpoints and that
-user input is escaped properly. Ideally, the allow-list should be set in `kibana.yml`, so only server administrators can change it.
-  * This is particularly relevant when using `transport.request` with the Elasticsearch client, as no automatic escaping is performed.
-  * Note that URLs are very hard to validate properly; exact match validation for user input is most preferable, while URL parsing or RegEx
-validation should only be used if absolutely necessary.
+- Ensure that all outbound requests from the Kibana server use hard-coded URLs.
+- If user input is used to construct a URL for an outbound request, ensure that an allow-list is used to validate the endpoints and that
+  user input is escaped properly. Ideally, the allow-list should be set in `kibana.yml`, so only server administrators can change it.
+  - This is particularly relevant when using `transport.request` with the Elasticsearch client, as no automatic escaping is performed.
+  - Note that URLs are very hard to validate properly; exact match validation for user input is most preferable, while URL parsing or RegEx
+    validation should only be used if absolutely necessary.
 
 ### Reverse tabnabbing
 
@@ -356,10 +358,10 @@ buttons, and other vulnerable DOM elements.
 
 **Best practices**
 
-* Use EUI components to build your UI whenever possible. Otherwise, ensure that any DOM elements that have an `href` attribute also have the
-`rel="noreferrer noopener"` attribute specified. For more information, refer to the [OWASP HTML5 Security Cheat
-Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md#tabnabbing).
-* If using a non-EUI markdown renderer, use a custom link renderer for rendered links.
+- Use EUI components to build your UI whenever possible. Otherwise, ensure that any DOM elements that have an `href` attribute also have the
+  `rel="noreferrer noopener"` attribute specified. For more information, refer to the [OWASP HTML5 Security Cheat
+  Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md#tabnabbing).
+- If using a non-EUI markdown renderer, use a custom link renderer for rendered links.
 
 ### Information disclosure
 
@@ -370,7 +372,7 @@ control, but at a high level, Kibana relies on the hapi framework to automatical
 
 **Best practices**
 
-* Look for instances where sensitive information might accidentally be revealed, particularly in error messages, in the UI, and URL
-parameters that are exposed to users.
-* Make sure that sensitive request data is not forwarded to external resources. For example, copying client request headers and using them
-to make an another request could accidentally expose the user's credentials.
+- Look for instances where sensitive information might accidentally be revealed, particularly in error messages, in the UI, and URL
+  parameters that are exposed to users.
+- Make sure that sensitive request data is not forwarded to external resources. For example, copying client request headers and using them
+  to make an another request could accidentally expose the user's credentials.
diff --git a/dev_docs/getting_started/add_data.mdx b/dev_docs/getting_started/add_data.mdx
@@ -0,0 +1,37 @@
+---
+id: kibDevAddData
+slug: /kibana-dev-docs/tutorial/sample-data
+title: Add data
+summary: Learn how to add data to Kibana
+date: 2021-08-11
+tags: ['kibana', 'onboarding', 'dev', 'architecture', 'tutorials']
+---
+
+Building a feature and need an easy way to test it out with some data? Below are three options.
+
+## 1. Add Sample Data from the UI
+
+Kibana ships with sample data that you can install at the click of the button. If you are building a feature and need some data to test it out with, sample data is a great option. The only limitation is that this data will not work for Security or Observability solutions (see [#62962](https://github.com/elastic/kibana/issues/62962)).
+
+1. Navigate to the home page.
+2. Click **Add data**.
+3. Click on the **Sample data** tab.
+4. Select a dataset by clicking on the **Add data** button.
+
+![Sample Data](../assets/sample_data.png)
+
+## CSV Upload
+
+1. If you don't have any data, navigate to Stack Management > Index Patterns and click the link to the uploader. If you do have data, navigate to the **Machine Learning** application.
+2. Click on the **Data Visualizer** tab.
+3. Click on **Select file** in the **Import data** container.
+
+![CSV Upload](../assets/ml_csv_upload.png)
+
+## makelogs
+
+The makelogs script generates sample web server logs. Make sure Elasticsearch is running before running the script.
+
+```sh
+node scripts/makelogs --auth <username>:<password>
+```
diff --git a/dev_docs/getting_started/dev_welcome.mdx b/dev_docs/getting_started/dev_welcome.mdx
@@ -14,7 +14,8 @@ Kibana ships with many out-of-the-box capabilities that can be extended and enha
 Recommended next reading:
 
 1. <DocLink id="kibDevTutorialSetupDevEnv" text="Set up your development environment" />
-2. Create a simple <DocLink id="kibHelloWorldApp" text="Hello World plugin"/>.
+2. Create a <DocLink id="kibHelloWorldApp" text="Hello World plugin"/>.
+3. <DocLink id="kibDevAddData" text="Add data" />.
 
 Check out our <DocLink id="kibDevDocsApiWelcome" text="API documentation" /> to dig into the nitty gritty details of
 every public plugin API.