[Security Solution][Timeline] fix Kibana DoS via Timeline Bulk Export

[agusruidiazgd]

Summary

Closes: https://github.com/elastic/security-team/issues/14883
This PR fixes a DoS risk in Timeline bulk export (POST /api/timeline/_export).

A user could send a very large list of timeline IDs (including duplicates), which caused unbounded work during export and could degrade Kibana availability.

What changed

• Added stronger request validation for export ids:
  • minimum 1
  • maximum 1000
• Deduplicated incoming export IDs before processing.
• Enforced export size checks on normalized IDs.
• Replaced unbounded enrichment fan-out (notes/pinned events) with bounded batching.

How to test

UI sanity test

1. Log in with a user that has timeline read access (timeline_read).
2. Go to Security -> Timelines.
3. Select one or more timelines and export from the UI.
4. Verify export still works and downloads NDJSON as expected.

Browser Console test (while logged in to Kibana)

1. Oversized payload should fail (400)

await fetch('/api/timeline/_export?file_name=timelines_export.ndjson', {
  method: 'POST',
  credentials: 'same-origin',
  headers: {
    'content-type': 'application/json',
    'kbn-xsrf': 'true',
    'elastic-api-version': '2023-10-31',
  },
  body: JSON.stringify({
    ids: Array.from({ length: 1001 }, () => crypto.randomUUID()),
  }),
});

2. Duplicate IDs should be handled safely

await fetch('/api/timeline/_export?file_name=timelines_export.ndjson', {
  method: 'POST',
  credentials: 'same-origin',
  headers: {
    'content-type': 'application/json',
    'kbn-xsrf': 'true',
    'elastic-api-version': '2023-10-31',
  },
  body: JSON.stringify({
    ids: ['REAL_TIMELINE_ID', 'REAL_TIMELINE_ID', 'REAL_TIMELINE_ID'],
  }),
});

[elasticmachine]

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: c039653

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	11.5MB	11.5MB	+16.0B

cc @agusruidiazgd

[kibanamachine]

Starting backport for target branches: 8.19, 9.2, 9.3

https://github.com/elastic/kibana/actions/runs/23839724833

[kibanamachine]

💔 All backports failed

Status	Branch	Result
❌	8.19	Backport failed because of merge conflicts You might need to backport the following PRs to 8.19: - [ska] relocation security_solution_* FTR tests (#231416)
❌	9.2	Backport failed because of merge conflicts
❌	9.3	Backport failed because of merge conflicts

Manual backport

To create the backport manually run:

node scripts/backport --pr 260265

Questions ?

Please refer to the Backport tool documentation

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 260265 locally
cc: @agusruidiazgd

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 260265 locally
cc: @agusruidiazgd

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 260265 locally
cc: @agusruidiazgd