[HTTP] Safer client calls and new browser buildPath utility#257230
Merged
jloleysens merged 32 commits intoApr 3, 2026
Merged
Conversation
jloleysens
added
Team:Core
Contributor
|
Pinging @elastic/kibana-core (Team:Core) |
Contributor
|
🤖 Jobs for this PR can be triggered through checkboxes. 🚧
ℹ️ To trigger the CI, please tick the checkbox below 👇
|
Contributor
Author
|
/ci |
jloleysens
changed the title
buildPath utilitydelete calls and new browser buildPath utility
Contributor
Author
|
/ci |
2 similar comments
Contributor
Author
|
/ci |
Contributor
Author
|
/ci |
jloleysens
changed the title
delete calls and new browser buildPath utilitybuildPath utility
Contributor
Author
|
/ci |
1 similar comment
Contributor
Author
|
/ci |
Block encoded path traversal segments at the HTTP onRequest layer so Kibana rejects traversal attempts before routing or URL rewriting can redirect requests to unintended endpoints. Made-with: Cursor
This reverts commit eda3429.
Cover the new browser-side path builder and verify dashboard client routes encode path params instead of interpolating raw ids into request URLs. Made-with: Cursor
…r-build-path-utility
delanni
reviewed
Apr 2, 2026
| }, | ||
| { | ||
| code: dedent` | ||
| const path = \`/api/dashboards/${'${id}'}\`; |
Member
There was a problem hiding this comment.
It took me a bit to grasp what this is :) Was it your choice to 'escape' the variable symbols like this, or was this suggested by cursor?
If I had to chose, I'd pick the \ way:
Suggested change
| const path = \`/api/dashboards/${'${id}'}\`; | |
| const path = \`/api/dashboards/\${id}\`; |
Contributor
Author
There was a problem hiding this comment.
For some reason this format was not working, at least not as intended. I'll refactor for better readability. I agree the cruft introduced by ${'${... is pretty noisey
delanni
approved these changes
Apr 2, 2026
Member
delanni
left a comment
delanni
left a comment
There was a problem hiding this comment.
Outside the escaping nitpick, it looks good!
walterra
approved these changes
Apr 3, 2026
Contributor
walterra
left a comment
walterra
left a comment
There was a problem hiding this comment.
datavis code review only LGTM.
jloleysens
added
v9.3.4
v8.19.15
backport:all-open
Contributor
|
Starting backport for target branches: 8.19, 9.2, 9.3, 9.4 https://github.com/elastic/kibana/actions/runs/24826911443 |
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
This was referenced Apr 23, 2026
kibanamachine
added
the
backport missing
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
1 similar comment
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
jloleysens
added a commit
that referenced
this pull request
Apr 28, 2026
…265249) ## Summary Backport #257230 to `8.19`. Resolved branch-specific conflicts while keeping the older `8.19` dashboard and lens implementations intact. ## Validation Could not run `node scripts/check_changes.ts` or Jest in the temporary backport repo because dependencies are not bootstrapped there. (Made with cursor y'all) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Gerard Soldevila <gerard.soldevila@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
8 tasks
jloleysens
added a commit
that referenced
this pull request
Apr 28, 2026
…65250) ## Summary Backport #257230 to `9.3`. Resolved branch-specific conflicts for the older branch layout while preserving the intended path-safety changes. ## Validation Could not run `node scripts/check_changes.ts` or Jest in the temporary backport repo because dependencies are not bootstrapped there. (Made with cursor y'all) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Gerard Soldevila <gerard.soldevila@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
kibanamachine
removed
the
backport missing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
16 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
http<method>calls are used dangerously: direct path injectionbuildPathutility that can be used with server-side routes/api/myapi/{id}to safely build and encode path parameters (bonus: server-side pathconsts can be reused by the client directly, no need to build these separately by hand)No unsafe
httppath usageWill flag usages of
httplike:With a message to use
buildPathorencodeURIComponentin order to safely encode parameters.buildPathNot strictly needed in this PR, this utility allows for using server side paths like
/api/myapi/{id}in a parameterised fashion like:Happy to exclude this utility if it simplifies things.
(Made with cursor y'all)