Skip to content

[9.3] [HTTP] Safer client calls and new browser buildPath utility (#257230)#265811

Closed
jeramysoucy wants to merge 1 commit into
elastic:9.3from
jeramysoucy:backport/9.3/pr-257230
Closed

[9.3] [HTTP] Safer client calls and new browser buildPath utility (#257230)#265811
jeramysoucy wants to merge 1 commit into
elastic:9.3from
jeramysoucy:backport/9.3/pr-257230

Conversation

@jeramysoucy
Copy link
Copy Markdown
Contributor

@jeramysoucy jeramysoucy commented Apr 27, 2026

Backport

This will backport the following commits from main to 9.3:

Questions ?

Please refer to the Backport tool documentation

@jloleysens
[HTTP] Safer client calls and new browser buildPath utility (elasti…
81ad9eb 
…c#257230)

- Create a new best-effort ESLint rule that checks if `http<method>`
calls are used dangerously: direct path injection
- Adds a new `buildPath` utility that can be used with server-side
routes `/api/myapi/{id}` to safely build and encode path parameters
(**bonus**: server-side path `const`s can be reused by the client
directly, no need to build these separately by hand)
- Updates existing usages

### No unsafe `http` path usage

Will flag usages of `http` like:

```ts
core.http.delete(`/api/myapi/${id}`, {...});
```

With a message to use `buildPath` or `encodeURIComponent` in order to
safely encode parameters.

### `buildPath`

Not strictly needed in this PR, this utility allows for using server
side paths like `/api/myapi/{id}` in a parameterised fashion like:

```ts
import { buildPath } from '@kbn/core-http-browser';

buildPath('/api/dashboard/{id}' /* same as { path: ... } server side */, { id })
// => /api/dashboard/encoded-id
```

Happy to exclude this utility if it simplifies things.

(Made with cursor y'all)

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Gerard Soldevila <gerard.soldevila@elastic.co>
(cherry picked from commit 2d72284)

# Conflicts:
#	.eslintrc.js
#	packages/kbn-optimizer/limits.yml
#	src/platform/plugins/shared/dashboard/moon.yml
#	src/platform/plugins/shared/dashboard/public/dashboard_client/dashboard_client.ts
#	src/platform/plugins/shared/dashboard/tsconfig.json
#	src/platform/plugins/shared/dashboard_markdown/moon.yml
#	src/platform/plugins/shared/dashboard_markdown/public/markdown_client/markdown_client.ts
#	src/platform/plugins/shared/dashboard_markdown/tsconfig.json
#	src/platform/plugins/shared/data/public/search/search_interceptor/search_interceptor.ts
#	x-pack/platform/plugins/private/canvas/moon.yml
#	x-pack/platform/plugins/private/canvas/tsconfig.json
#	x-pack/platform/plugins/private/logstash/moon.yml
#	x-pack/platform/plugins/private/logstash/tsconfig.json
#	x-pack/platform/plugins/shared/lens/moon.yml
#	x-pack/platform/plugins/shared/lens/public/persistence/lens_client.ts
#	x-pack/platform/plugins/shared/lens/tsconfig.json
#	x-pack/platform/plugins/shared/osquery/moon.yml
#	x-pack/platform/plugins/shared/osquery/tsconfig.json
@jeramysoucy jeramysoucy added the backport This PR is a backport of another PR label Apr 27, 2026
@jeramysoucy jeramysoucy enabled auto-merge (squash) April 27, 2026 14:53
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Apr 27, 2026

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)

@jeramysoucy jeramysoucy marked this pull request as draft April 27, 2026 15:01
auto-merge was automatically disabled April 27, 2026 15:01

Pull request was converted to draft

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Apr 27, 2026

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

  • Click to trigger kibana-pull-request for this PR!
  • Click to trigger kibana-deploy-project-from-pr for this PR!
  • Click to trigger kibana-deploy-cloud-from-pr for this PR!
  • Click to trigger kibana-entity-store-performance-from-pr for this PR!
  • Click to trigger kibana-storybooks-from-pr for this PR!

@jeramysoucy
Copy link
Copy Markdown
Contributor Author

jeramysoucy commented Apr 27, 2026

Duplicate of #265250

@jeramysoucy jeramysoucy marked this as a duplicate of #265250 Apr 27, 2026
@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Apr 27, 2026
edited
Loading

💔 Build Failed

Failed CI Steps

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
canvas 1377 1379 +2
dashboard 998 1000 +2
data 519 521 +2
enterpriseSearch 757 759 +2
lens 1665 1667 +2
logstash 52 54 +2
observability 1689 1691 +2
osquery 271 273 +2
total +16

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
canvas 1.0MB 1.0MB +1.0KB
dashboard 720.9KB 721.7KB +809.0B
enterpriseSearch 971.5KB 972.3KB +839.0B
home 67.6KB 67.7KB +40.0B
osquery 1.1MB 1.1MB +947.0B
total +3.6KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff errors
data 442.3KB 443.2KB +869.0B ❌ 45.0B over limit
lens 66.4KB 67.3KB +842.0B
logstash 14.1KB 14.9KB +815.0B
observability 96.5KB 97.3KB +822.0B
total +3.3KB

History

@jeramysoucy jeramysoucy mentioned this pull request Apr 28, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

Assignees

No one assigned

Labels

backport This PR is a backport of another PR Team:obs-ux-management

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jeramysoucy @elasticmachine @kibanamachine @jloleysens