Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.17] [Security Solution] Fix code scanning alert no. 469: Prototype-polluting function (#201712) #202081

Merged
merged 1 commit into from
Nov 27, 2024
Merged

[8.17] [Security Solution] Fix code scanning alert no. 469: Prototype-polluting function (#201712) #202081

merged 1 commit into from
Nov 27, 2024
+8 −1

Conversation

kibanamachine
Copy link
Contributor

Backport

This will backport the following commits from main to 8.17:

Questions ?

Please refer to the Backport tool documentation

@kqualters-elastic
[Security Solution] Fix code scanning alert no. 469: Prototype-pollut…
b670a94 
…ing function (elastic#201712)

Fixes
[https://github.com/elastic/kibana/security/code-scanning/469](https://github.com/elastic/kibana/security/code-scanning/469)

While I don't think this is actually an issue, as source is only a set
of ecs fields that ultimately are defined in the code and not controlled
by the user
https://github.com/elastic/kibana/blob/main/packages/kbn-alerts-as-data-utils/src/search/security/fields.ts#L47
This suggested fix doesn't have any negative impact/makes it future
proof if ever used elsewhere.

To fix the prototype pollution issue in the `deepMerge` function, we
need to ensure that the function does not copy the special properties
`__proto__` and `constructor`. Additionally, we should verify that the
properties being copied are own properties of the `source` object. This
can be achieved by adding checks within the `deepMerge` function.

_Suggested fixes powered by Copilot Autofix. Review carefully before
merging._

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: kibanamachine <[email protected]>
(cherry picked from commit bcbf85a)
@kibanamachine kibanamachine enabled auto-merge (squash) November 27, 2024 22:02
@kibanamachine kibanamachine mentioned this pull request Nov 27, 2024
Merged
@kibanamachine kibanamachine merged commit b719f99 into elastic:8.17 Nov 27, 2024
11 checks passed
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Unknown metric groups

ESLint disabled line counts

id before after diff
timelines 26 27 +1

Total ESLint disabled count

id before after diff
timelines 26 27 +1

cc @kqualters-elastic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

@kqualters-elastic kqualters-elastic

Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kibanamachine @elasticmachine @kqualters-elastic