Skip to content

[9.3] [HTTP] Safer client calls and new browser buildPath utility#265250

Merged
jloleysens merged 7 commits into
elastic:9.3from
jloleysens:backport/9.3/pr-257230
Apr 28, 2026
Merged

[9.3] [HTTP] Safer client calls and new browser buildPath utility#265250
jloleysens merged 7 commits into
elastic:9.3from
jloleysens:backport/9.3/pr-257230

Conversation

@jloleysens
Copy link
Copy Markdown
Contributor

@jloleysens jloleysens commented Apr 23, 2026
edited
Loading

Summary

Backport #257230 to 9.3.

Resolved branch-specific conflicts for the older branch layout while preserving the intended path-safety changes.

Validation

Could not run node scripts/check_changes.ts or Jest in the temporary backport repo because dependencies are not bootstrapped there.

(Made with cursor y'all)

@jloleysens @kibanamachine
@coderabbitai @gsoldevila
[HTTP] Safer client calls and new browser buildPath utility (elasti…
2fd4f4a 
…c#257230)

- Create a new best-effort ESLint rule that checks if `http<method>`
calls are used dangerously: direct path injection
- Adds a new `buildPath` utility that can be used with server-side
routes `/api/myapi/{id}` to safely build and encode path parameters
(**bonus**: server-side path `const`s can be reused by the client
directly, no need to build these separately by hand)
- Updates existing usages

Will flag usages of `http` like:

```ts
core.http.delete(`/api/myapi/${id}`, {...});
```

With a message to use `buildPath` or `encodeURIComponent` in order to
safely encode parameters.

Not strictly needed in this PR, this utility allows for using server
side paths like `/api/myapi/{id}` in a parameterised fashion like:

```ts
import { buildPath } from '@kbn/core-http-browser';

buildPath('/api/dashboard/{id}' /* same as { path: ... } server side */, { id })
// => /api/dashboard/encoded-id
```

Happy to exclude this utility if it simplifies things.

(Made with cursor y'all)

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Gerard Soldevila <gerard.soldevila@elastic.co>
(cherry picked from commit 2d72284)
@jloleysens jloleysens added Team:Core Platform Core services: plugins, logging, config, saved objects, http, ES client, i18n, etc t// release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting labels Apr 23, 2026
@jloleysens jloleysens changed the title [9.3] [HTTP] Safer client calls and new browser utility [9.3] [HTTP] Safer client calls and new browser buildPath utility Apr 23, 2026
@jloleysens jloleysens marked this pull request as ready for review April 24, 2026 09:49
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Apr 24, 2026

Pinging @elastic/kibana-core (Team:Core)

@elastic elastic deleted a comment from infra-vault-gh-plugin-prod Bot Apr 24, 2026
@jloleysens
Copy link
Copy Markdown
Contributor Author

jloleysens commented Apr 24, 2026

@elasticmachine merge upstream

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Apr 24, 2026

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)

@jesuswr
Copy link
Copy Markdown
Member

jesuswr commented Apr 24, 2026

@elasticmachine merge upstream

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Apr 24, 2026
edited
Loading

💔 Build Failed

Failed CI Steps

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
canvas 1377 1379 +2
dashboard 998 1000 +2
data 519 521 +2
enterpriseSearch 757 759 +2
lens 1665 1667 +2
logstash 52 54 +2
observability 1689 1691 +2
osquery 271 273 +2
total +16

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
canvas 1.0MB 1.0MB +1.0KB
dashboard 720.9KB 721.7KB +809.0B
enterpriseSearch 971.5KB 972.3KB +839.0B
home 67.6KB 67.7KB +40.0B
osquery 1.1MB 1.1MB +947.0B
total +3.6KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff errors
data 442.3KB 443.2KB +879.0B ❌ 55.0B over limit
lens 66.4KB 67.3KB +842.0B
logstash 14.1KB 14.9KB +815.0B
observability 96.5KB 97.3KB +822.0B
total +3.3KB

History

@jeramysoucy jeramysoucy mentioned this pull request Apr 27, 2026
Closed
@jloleysens
Merge remote-tracking branch 'upstream/9.3' into backport/9.3/pr-257230
b183162
@jloleysens
Raise data bundle limit slightly
467f7e6 
Made-with: Cursor
@jloleysens
Align dashboard markdown with 9.3 backport target
b5d4bb1 
Remove the 9.4-only markdown client and its package references so the backport matches the 9.3 merge target.

Made-with: Cursor
@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Apr 28, 2026

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
canvas 1377 1379 +2
dashboard 998 1000 +2
data 519 521 +2
enterpriseSearch 757 759 +2
lens 1665 1667 +2
logstash 52 54 +2
observability 1689 1691 +2
osquery 271 273 +2
total +16

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/core-http-browser 36 38 +2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
canvas 1.0MB 1.0MB +1.0KB
dashboard 720.9KB 721.7KB +809.0B
enterpriseSearch 971.5KB 972.3KB +839.0B
home 67.6KB 67.7KB +40.0B
osquery 1.1MB 1.1MB +947.0B
total +3.6KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
data 442.3KB 443.2KB +879.0B
lens 66.4KB 67.3KB +842.0B
logstash 14.1KB 14.9KB +815.0B
observability 96.5KB 97.3KB +822.0B
total +3.3KB
Unknown metric groups

API count

id before after diff
@kbn/core-http-browser 120 123 +3

History

@jloleysens jloleysens merged commit fce413c into elastic:9.3 Apr 28, 2026
11 checks passed
@jloleysens jloleysens deleted the backport/9.3/pr-257230 branch April 28, 2026 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jesuswr jesuswr jesuswr approved these changes

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

Assignees

No one assigned

Labels

backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Core Platform Core services: plugins, logging, config, saved objects, http, ES client, i18n, etc t// Team:obs-ux-management

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jloleysens @elasticmachine @jesuswr @kibanamachine