Arguments for wazuh-api.js:makeRequest are not validated

[jesuslinares]

The argument of wazuh-api.js:makeRequest must be validated to prevent possible security issues.

async makeRequest(method, path, data, id, reply)

Some ideas:

• method: "^GET$|^PUT$|^POST$|^DELETE$"
• path: "^/. +"
• id: "^\d+$"

[juankaromo]

Hi @jesuslinares

From now on, the request method is validated (so that it can only be GET|PUT|POST|DELETE) and the path must start with /.

As for the id we can not validate it because although initially, it is a timestamp, you can modify the value in the index and, in addition, in the future version of Wazuh the index .wazuh will be obsolete in favor of a configuration file where users can enter the id they want.

https://github.com/wazuh/wazuh-kibana-app/blob/098c04546f04aeece69bdeac7bc3dbdbc481c600/server/controllers/wazuh-api.js#L964-L974