diff --git a/.gitignore b/.gitignore index 77a0dfcc7b5a2..3e8687bf80df7 100644 --- a/.gitignore +++ b/.gitignore @@ -175,6 +175,8 @@ oas_docs/output/kibana.serverless.tmp*.yaml oas_docs/output/kibana.tmp*.yaml oas_docs/output/kibana.new.yaml oas_docs/output/kibana.serverless.new.yaml +oas_docs/bundle.json +oas_docs/bundle.serverless.json .codeql .dependency-graph-log.json diff --git a/x-pack/platform/plugins/shared/actions/server/lib/oauth_state_client.ts b/x-pack/platform/plugins/shared/actions/server/lib/oauth_state_client.ts index 924ae7d5ef0f8..4767d8f4e3d44 100644 --- a/x-pack/platform/plugins/shared/actions/server/lib/oauth_state_client.ts +++ b/x-pack/platform/plugins/shared/actions/server/lib/oauth_state_client.ts @@ -10,6 +10,7 @@ import { omitBy, isUndefined } from 'lodash'; import type { EncryptedSavedObjectsClient } from '@kbn/encrypted-saved-objects-plugin/server'; import type { Logger, SavedObjectsClientContract } from '@kbn/core/server'; import { SavedObjectsUtils } from '@kbn/core/server'; +import { escapeQuotes } from '@kbn/es-query'; import { OAUTH_STATE_SAVED_OBJECT_TYPE } from '../constants/saved_objects'; const STATE_EXPIRATION_MS = 10 * 60 * 1000; // 10 minutes @@ -134,14 +135,17 @@ export class OAuthStateClient { */ public async get(stateParam: string): Promise { try { + const sanitisedStateParam = escapeQuotes(stateParam); const result = await this.unsecuredSavedObjectsClient.find({ type: OAUTH_STATE_SAVED_OBJECT_TYPE, - filter: `${OAUTH_STATE_SAVED_OBJECT_TYPE}.attributes.state: "${stateParam}"`, + filter: `${OAUTH_STATE_SAVED_OBJECT_TYPE}.attributes.state: "${sanitisedStateParam}"`, perPage: 1, }); if (result.saved_objects.length === 0) { - this.logger.warn(`OAuth state not found for state parameter: ${stateParam}`); + this.logger.warn( + `OAuth state not found for state parameter: ${stateParam}. Sanitised parameter: ${sanitisedStateParam}` + ); return null; } diff --git a/x-pack/platform/plugins/shared/actions/server/routes/oauth_callback.ts b/x-pack/platform/plugins/shared/actions/server/routes/oauth_callback.ts index c3c9bb0579413..cf67f2dfd6a57 100644 --- a/x-pack/platform/plugins/shared/actions/server/routes/oauth_callback.ts +++ b/x-pack/platform/plugins/shared/actions/server/routes/oauth_callback.ts @@ -8,6 +8,7 @@ import { schema } from '@kbn/config-schema'; import type { CoreSetup, IRouter, Logger } from '@kbn/core/server'; import { i18n } from '@kbn/i18n'; +import { escape } from 'lodash'; import type { ActionsPluginsStart } from '../plugin'; import type { ILicenseState } from '../lib'; import { BASE_ACTION_API_PATH } from '../../common'; @@ -104,6 +105,10 @@ function generateOAuthCallbackPage({ }): string { const iconColor = isSuccess ? '#00BFB3' : '#BD271E'; const icon = isSuccess ? '✓' : '✕'; + const sanitisedTitle = escape(title); + const sanitisedHeading = escape(heading); + const sanitisedMessage = escape(message); + const sanitisedDetails = details ? escape(details) : ''; return ` @@ -111,7 +116,7 @@ function generateOAuthCallbackPage({ - ${title} + ${sanitisedTitle}