diff --git a/src/platform/packages/shared/content-management/access_control/access_control_server/src/register_access_control.ts b/src/platform/packages/shared/content-management/access_control/access_control_server/src/register_access_control.ts index 3966f6abf1a87..d53debfd5316f 100644 --- a/src/platform/packages/shared/content-management/access_control/access_control_server/src/register_access_control.ts +++ b/src/platform/packages/shared/content-management/access_control/access_control_server/src/register_access_control.ts @@ -91,7 +91,8 @@ export const registerAccessControl = async ({ schema.object({ type: schema.string(), id: schema.string(), - }) + }), + { maxSize: 100 } ), accessMode: schema.oneOf([ schema.literal('write_restricted'), @@ -103,6 +104,7 @@ export const registerAccessControl = async ({ 200: { body: () => schema.object({ + // codeql[js/kibana/unbounded-array-in-schema] output schema — server controls the response size results: schema.arrayOf( schema.object({ type: schema.string(), diff --git a/src/platform/packages/shared/content-management/favorites/favorites_server/src/favorites_saved_object.ts b/src/platform/packages/shared/content-management/favorites/favorites_server/src/favorites_saved_object.ts index 776133f408975..38dc984ac05e2 100644 --- a/src/platform/packages/shared/content-management/favorites/favorites_server/src/favorites_saved_object.ts +++ b/src/platform/packages/shared/content-management/favorites/favorites_server/src/favorites_saved_object.ts @@ -20,6 +20,7 @@ export interface FavoritesSavedObjectAttributes { const schemaV1 = schema.object({ userId: schema.string(), type: schema.string(), // object type, e.g. dashboard + // codeql[js/kibana/unbounded-array-in-schema] saved object schema — not route input favoriteIds: schema.arrayOf(schema.string()), }); diff --git a/src/platform/plugins/shared/content_management/common/rpc/bulk_get.ts b/src/platform/plugins/shared/content_management/common/rpc/bulk_get.ts index a96ff44780398..911e394be4c06 100644 --- a/src/platform/plugins/shared/content_management/common/rpc/bulk_get.ts +++ b/src/platform/plugins/shared/content_management/common/rpc/bulk_get.ts @@ -20,13 +20,14 @@ export const bulkGetSchemas = { { contentTypeId: schema.string(), version: versionSchema, - ids: schema.arrayOf(schema.string({ minLength: 1 }), { minSize: 1 }), + ids: schema.arrayOf(schema.string({ minLength: 1 }), { minSize: 1, maxSize: 100 }), options: schema.maybe(schema.object({}, { unknowns: 'allow' })), }, { unknowns: 'forbid' } ), out: schema.object( { + // codeql[js/kibana/unbounded-array-in-schema] output schema — server controls the response size hits: schema.arrayOf(getResultSchema), meta: schema.maybe(schema.object({}, { unknowns: 'allow' })), }, diff --git a/src/platform/plugins/shared/content_management/common/rpc/msearch.ts b/src/platform/plugins/shared/content_management/common/rpc/msearch.ts index 9d3696450f9a8..2d5fc36440e28 100644 --- a/src/platform/plugins/shared/content_management/common/rpc/msearch.ts +++ b/src/platform/plugins/shared/content_management/common/rpc/msearch.ts @@ -22,6 +22,7 @@ export const mSearchSchemas = { schema.object({ contentTypeId: schema.string(), version: versionSchema }), { minSize: 1, + maxSize: 100, } ), query: searchQuerySchema, @@ -30,6 +31,7 @@ export const mSearchSchemas = { ), out: schema.object( { + // codeql[js/kibana/unbounded-array-in-schema] output schema — server controls the response size contentTypes: schema.arrayOf( schema.object({ contentTypeId: schema.string(), version: versionSchema }) ), diff --git a/src/platform/plugins/shared/content_management/common/rpc/search.ts b/src/platform/plugins/shared/content_management/common/rpc/search.ts index 3f977450d81b8..e35bbd291895b 100644 --- a/src/platform/plugins/shared/content_management/common/rpc/search.ts +++ b/src/platform/plugins/shared/content_management/common/rpc/search.ts @@ -19,8 +19,8 @@ export const searchQuerySchema = schema.oneOf([ text: schema.maybe(schema.string()), tags: schema.maybe( schema.object({ - included: schema.maybe(schema.arrayOf(schema.string())), - excluded: schema.maybe(schema.arrayOf(schema.string())), + included: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), + excluded: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), }) ), limit: schema.maybe(schema.number()), @@ -33,6 +33,7 @@ export const searchQuerySchema = schema.oneOf([ ]); export const searchResultSchema = schema.object({ + // codeql[js/kibana/unbounded-array-in-schema] output schema — server controls the response size hits: schema.arrayOf(schema.any()), pagination: schema.object({ total: schema.number(), diff --git a/src/platform/plugins/shared/files/server/routes/find.ts b/src/platform/plugins/shared/files/server/routes/find.ts index 17db6a49d4074..56e0998da6fd2 100644 --- a/src/platform/plugins/shared/files/server/routes/find.ts +++ b/src/platform/plugins/shared/files/server/routes/find.ts @@ -21,8 +21,14 @@ const method = 'post' as const; const string64 = schema.string({ minLength: 1, maxLength: 64 }); const string256 = schema.string({ minLength: 1, maxLength: 256 }); -export const stringOrArrayOfStrings = schema.oneOf([string64, schema.arrayOf(string64)]); -export const nameStringOrArrayOfNameStrings = schema.oneOf([string256, schema.arrayOf(string256)]); +export const stringOrArrayOfStrings = schema.oneOf([ + string64, + schema.arrayOf(string64, { maxSize: 100 }), +]); +export const nameStringOrArrayOfNameStrings = schema.oneOf([ + string256, + schema.arrayOf(string256, { maxSize: 100 }), +]); export function toArrayOrUndefined(val?: string | string[]): undefined | string[] { if (val == null) return undefined; diff --git a/src/platform/plugins/shared/home/server/services/sample_data/lib/sample_dataset_schema.ts b/src/platform/plugins/shared/home/server/services/sample_data/lib/sample_dataset_schema.ts index fbcbe5384ff4f..65f7004e646d4 100644 --- a/src/platform/plugins/shared/home/server/services/sample_data/lib/sample_dataset_schema.ts +++ b/src/platform/plugins/shared/home/server/services/sample_data/lib/sample_dataset_schema.ts @@ -28,6 +28,7 @@ const dataIndexSchema = schema.object({ fields: schema.recordOf(schema.string(), schema.any()), // times fields that will be updated relative to now when data is installed + // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input timeFields: schema.arrayOf(schema.string()), // should index be created as data stream @@ -79,18 +80,21 @@ export const sampleDataSchema = schema.object({ // Kibana saved objects (index patter, visualizations, dashboard, ...) // Should provide a nice demo of Kibana's functionality with the sample data set + // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input savedObjects: schema.arrayOf( schema.object( { id: schema.string(), type: schema.string(), attributes: schema.any(), + // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input references: schema.arrayOf(schema.any()), version: schema.maybe(schema.any()), }, { unknowns: 'allow' } ) ), + // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input dataIndices: schema.arrayOf(dataIndexSchema), status: schema.maybe(schema.string()), diff --git a/src/platform/plugins/shared/home/server/services/tutorials/lib/tutorial_schema.ts b/src/platform/plugins/shared/home/server/services/tutorials/lib/tutorial_schema.ts index f56a176eb5e8f..1f6cf492a03f7 100644 --- a/src/platform/plugins/shared/home/server/services/tutorials/lib/tutorial_schema.ts +++ b/src/platform/plugins/shared/home/server/services/tutorials/lib/tutorial_schema.ts @@ -32,6 +32,7 @@ const artifactsSchema = schema.object({ }) ), // Kibana dashboards created by this product. + // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input dashboards: schema.arrayOf(dashboardSchema), application: schema.maybe( schema.object({ @@ -49,6 +50,7 @@ const statusCheckSchema = schema.object({ success: schema.maybe(schema.string()), error: schema.maybe(schema.string()), esHitsCheck: schema.object({ + // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input index: schema.oneOf([schema.string(), schema.arrayOf(schema.string())]), query: schema.recordOf(schema.string(), schema.any()), }), @@ -58,6 +60,7 @@ export type StatusCheckSchema = TypeOf; const instructionSchema = schema.object({ title: schema.maybe(schema.string()), textPre: schema.maybe(schema.string()), + // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input commands: schema.maybe(schema.arrayOf(schema.string())), textPost: schema.maybe(schema.string()), customComponentName: schema.maybe(schema.string()), @@ -66,6 +69,7 @@ export type Instruction = TypeOf; const instructionVariantSchema = schema.object({ id: schema.string(), + // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input instructions: schema.arrayOf(instructionSchema), initialSelected: schema.maybe(schema.boolean()), }); @@ -82,12 +86,14 @@ const instructionSetSchema = schema.object({ }) ), // Variants (OSes, languages, etc.) for which tutorial instructions are specified. + // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input instructionVariants: schema.arrayOf(instructionVariantSchema), statusCheck: schema.maybe(statusCheckSchema), }); export type InstructionSetSchema = TypeOf; const instructionsSchema = schema.object({ + // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input instructionSets: schema.arrayOf(instructionSetSchema), }); export type InstructionsSchema = TypeOf; @@ -144,6 +150,7 @@ export const tutorialSchema = schema.object({ customStatusCheckName: schema.maybe(schema.string()), // Category assignment for the integration browser + // codeql[js/kibana/unbounded-array-in-schema] internal registration schema — not route input integrationBrowserCategories: schema.maybe(schema.arrayOf(schema.string())), // Name of an equivalent package in EPR. e.g. this needs to be explicitly defined if it cannot be derived from a heuristic. diff --git a/x-pack/platform/plugins/shared/global_search/server/routes/find.ts b/x-pack/platform/plugins/shared/global_search/server/routes/find.ts index 7d72a53def922..3f2bd50635693 100644 --- a/x-pack/platform/plugins/shared/global_search/server/routes/find.ts +++ b/x-pack/platform/plugins/shared/global_search/server/routes/find.ts @@ -24,8 +24,8 @@ export const registerInternalFindRoute = (router: GlobalSearchRouter) => { body: schema.object({ params: schema.object({ term: schema.maybe(schema.string()), - types: schema.maybe(schema.arrayOf(schema.string())), - tags: schema.maybe(schema.arrayOf(schema.string())), + types: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), + tags: schema.maybe(schema.arrayOf(schema.string(), { maxSize: 100 })), }), options: schema.maybe( schema.object({ diff --git a/x-pack/platform/plugins/shared/saved_objects_tagging/server/routes/assignments/find_assignable_objects.ts b/x-pack/platform/plugins/shared/saved_objects_tagging/server/routes/assignments/find_assignable_objects.ts index 990edf207879c..ff36e4ebfd4c4 100644 --- a/x-pack/platform/plugins/shared/saved_objects_tagging/server/routes/assignments/find_assignable_objects.ts +++ b/x-pack/platform/plugins/shared/saved_objects_tagging/server/routes/assignments/find_assignable_objects.ts @@ -24,7 +24,9 @@ export const registerFindAssignableObjectsRoute = (router: TagsPluginRouter) => query: schema.object({ search: schema.maybe(schema.string()), max_results: schema.number({ min: 0, defaultValue: 1000 }), - types: schema.maybe(schema.oneOf([schema.string(), schema.arrayOf(schema.string())])), + types: schema.maybe( + schema.oneOf([schema.string(), schema.arrayOf(schema.string(), { maxSize: 100 })]) + ), }), }, }, diff --git a/x-pack/platform/plugins/shared/saved_objects_tagging/server/routes/assignments/update_tags_assignments.ts b/x-pack/platform/plugins/shared/saved_objects_tagging/server/routes/assignments/update_tags_assignments.ts index 6c53c68b81a02..c5d192fb506bb 100644 --- a/x-pack/platform/plugins/shared/saved_objects_tagging/server/routes/assignments/update_tags_assignments.ts +++ b/x-pack/platform/plugins/shared/saved_objects_tagging/server/routes/assignments/update_tags_assignments.ts @@ -28,9 +28,9 @@ export const registerUpdateTagsAssignmentsRoute = (router: TagsPluginRouter) => validate: { body: schema.object( { - tags: schema.arrayOf(schema.string(), { minSize: 1 }), - assign: schema.arrayOf(objectReferenceSchema, { defaultValue: [] }), - unassign: schema.arrayOf(objectReferenceSchema, { defaultValue: [] }), + tags: schema.arrayOf(schema.string(), { minSize: 1, maxSize: 100 }), + assign: schema.arrayOf(objectReferenceSchema, { defaultValue: [], maxSize: 1000 }), + unassign: schema.arrayOf(objectReferenceSchema, { defaultValue: [], maxSize: 1000 }), }, { validate: ({ assign, unassign }) => { diff --git a/x-pack/platform/plugins/shared/saved_objects_tagging/server/routes/internal/bulk_delete.ts b/x-pack/platform/plugins/shared/saved_objects_tagging/server/routes/internal/bulk_delete.ts index 9fa33d7004f71..580074d26825a 100644 --- a/x-pack/platform/plugins/shared/saved_objects_tagging/server/routes/internal/bulk_delete.ts +++ b/x-pack/platform/plugins/shared/saved_objects_tagging/server/routes/internal/bulk_delete.ts @@ -21,7 +21,7 @@ export const registerInternalBulkDeleteRoute = (router: TagsPluginRouter) => { }, validate: { body: schema.object({ - ids: schema.arrayOf(schema.string()), + ids: schema.arrayOf(schema.string(), { maxSize: 100 }), }), }, },