[Fleet] Validate SSL certificate paths for whitespace

oas_docs/output/kibana.serverless.yaml

@@ -94275,6 +94275,7 @@ components:
             - none
           type: string
         compression_level:
+          nullable: true
           type: number
         config_yaml:
           nullable: true
@@ -95477,6 +95478,7 @@ components:
             - none
           type: string
         compression_level:
+          nullable: true
           type: number
         config_yaml:
           nullable: true
@@ -97738,6 +97740,7 @@ components:
             - none
           type: string
         compression_level:
+          nullable: true
           type: number
         config_yaml:
           nullable: true

oas_docs/output/kibana.yaml

@@ -106685,6 +106685,7 @@ components:
             - none
           type: string
         compression_level:
+          nullable: true
           type: number
         config_yaml:
           nullable: true
@@ -107887,6 +107888,7 @@ components:
             - none
           type: string
         compression_level:
+          nullable: true
           type: number
         config_yaml:
           nullable: true
@@ -110148,6 +110150,7 @@ components:
             - none
           type: string
         compression_level:
+          nullable: true
           type: number
         config_yaml:
           nullable: true

x-pack/platform/plugins/shared/fleet/common/services/index.ts

@@ -131,6 +131,8 @@ export {
 // Cloud Connector accessor module
 export * from './cloud_connectors';
 
+export { validateSslCertPath } from './ssl_validators';
+
 export type { YamlModule } from './yaml_utils';
 export { createYamlKeysSorter, toYaml } from './yaml_utils';
 export {

x-pack/platform/plugins/shared/fleet/common/services/ssl_validators.test.ts

@@ -0,0 +1,92 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { validateSslCertPath } from './ssl_validators';
+
+describe('validateSslCertPath', () => {
+  describe('valid inputs (returns undefined)', () => {
+    it('empty string', () => {
+      expect(validateSslCertPath('')).toBeUndefined();
+    });
+
+    it('Linux path without spaces', () => {
+      expect(validateSslCertPath('/etc/certs/ca.pem')).toBeUndefined();
+    });
+
+    it('relative path without spaces', () => {
+      expect(validateSslCertPath('./certs/ca.pem')).toBeUndefined();
+    });
+
+    it('Windows absolute path without spaces', () => {
+      expect(validateSslCertPath('C:\\certs\\server.pem')).toBeUndefined();
+    });
+
+    it('Windows forward-slash path without spaces', () => {
+      expect(validateSslCertPath('C:/certs/server.pem')).toBeUndefined();
+    });
+
+    it('UNC path without spaces', () => {
+      expect(validateSslCertPath('\\\\server\\share\\cert.pem')).toBeUndefined();
+    });
+
+    it('PEM certificate content', () => {
+      expect(
+        validateSslCertPath(
+          '-----BEGIN CERTIFICATE-----\nMIIDXTCCAkWgAwIBAgIJAJC1\n-----END CERTIFICATE-----'
+        )
+      ).toBeUndefined();
+    });
+
+    it('PEM RSA private key', () => {
+      expect(
+        validateSslCertPath(
+          '-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA\n-----END RSA PRIVATE KEY-----'
+        )
+      ).toBeUndefined();
+    });
+
+    it('PEM EC private key', () => {
+      expect(
+        validateSslCertPath(
+          '-----BEGIN EC PRIVATE KEY-----\nMHQCAQEEIO\n-----END EC PRIVATE KEY-----'
+        )
+      ).toBeUndefined();
+    });
+
+    it('PEM content with leading whitespace', () => {
+      expect(
+        validateSslCertPath('  -----BEGIN CERTIFICATE-----\nMIID\n-----END CERTIFICATE-----')
+      ).toBeUndefined();
+    });
+  });
+
+  describe('invalid inputs (returns error string)', () => {
+    it('Linux path with spaces', () => {
+      expect(validateSslCertPath('/path/to my cert.pem')).toBeDefined();
+    });
+
+    it('relative path with spaces', () => {
+      expect(validateSslCertPath('./my certs/ca.pem')).toBeDefined();
+    });
+
+    it('Windows path with spaces', () => {
+      expect(validateSslCertPath('C:\\Program Files\\certs\\server.pem')).toBeDefined();
+    });
+
+    it('Windows forward-slash path with spaces', () => {
+      expect(validateSslCertPath('C:/Program Files/certs/server.pem')).toBeDefined();
+    });
+
+    it('UNC path with spaces in share name', () => {
+      expect(validateSslCertPath('\\\\server\\my share\\cert.pem')).toBeDefined();
+    });
+
+    it('path with tab character', () => {
+      expect(validateSslCertPath('/path/to\tcert.pem')).toBeDefined();
+    });
+  });
+});

x-pack/platform/plugins/shared/fleet/common/services/ssl_validators.ts

@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+// PEM content (-----BEGIN ...) is exempt — it naturally contains whitespace
+export function validateSslCertPath(value: string): string | undefined {
+  if (!value || value.trimStart().startsWith('-----BEGIN')) return undefined;
+  if (/\s/.test(value)) {
+    return i18n.translate('xpack.fleet.sslValidation.pathSpacesError', {
+      defaultMessage: 'SSL certificate path cannot contain whitespace',
+    });
+  }
+}

x-pack/platform/plugins/shared/fleet/common/types/models/output.ts

@@ -102,7 +102,7 @@ export interface KafkaOutput extends NewBaseOutput {
   version?: string;
   key?: string;
   compression?: ValueOf<KafkaCompressionType>;
-  compression_level?: number;
+  compression_level?: number | null;
   auth_type?: ValueOf<KafkaAuthType>;
   connection_type?: ValueOf<KafkaConnectionTypeType>;
   username?: string | null;

x-pack/platform/plugins/shared/fleet/cypress/e2e/fleet_settings.cy.ts

@@ -136,8 +136,12 @@ describe('Edit settings', () => {
     cy.getBySel(SETTINGS_OUTPUTS.TYPE_INPUT).select('logstash');
     cy.get('[placeholder="Specify host"').clear().type('logstash:5044');
     cy.getBySel(SETTINGS_OUTPUTS.SSL_BUTTON).click();
-    cy.get('[placeholder="Specify SSL certificate"]').clear().type('SSL CERTIFICATE');
-    cy.get('[placeholder="Specify certificate key"]').clear().type('SSL KEY');
+    cy.get('[placeholder="Specify SSL certificate"]')
+      .clear()
+      .type('-----BEGIN CERTIFICATE-----', { parseSpecialCharSequences: false });
+    cy.get('[placeholder="Specify certificate key"]')
+      .clear()
+      .type('-----BEGIN PRIVATE KEY-----', { parseSpecialCharSequences: false });
 
     cy.intercept('/api/fleet/outputs', {
       items: [
@@ -157,8 +161,8 @@ describe('Edit settings', () => {
       is_default: false,
       is_default_monitoring: false,
       ssl: {
-        certificate: "SSL CERTIFICATE');",
-        key: 'SSL KEY',
+        certificate: '-----BEGIN CERTIFICATE-----',
+        key: '-----BEGIN PRIVATE KEY-----',
       },
     }).as('postLogstashOutput');
 

x-pack/platform/plugins/shared/fleet/cypress/e2e/fleet_settings_outputs.cy.ts

@@ -182,12 +182,11 @@ queue:
   describe('Remote ES', () => {
     it('displays proper error messages', () => {
       selectRemoteESOutput();
+      cy.getBySel(SETTINGS_OUTPUTS.NAME_INPUT).type('name');
+      cy.get('[placeholder="Specify host URL"').clear().type('https://localhost:5000');
       cy.getBySel(SETTINGS_SAVE_BTN).click();
 
-      cy.contains('Name is required');
-      cy.contains('URL is required');
       cy.contains('Service token is required');
-      shouldDisplayError(SETTINGS_OUTPUTS.NAME_INPUT);
       shouldDisplayError('serviceTokenSecretInput');
     });
 
@@ -392,18 +391,17 @@ queue:
 
       it('displays proper error messages', () => {
         selectKafkaOutput();
+        cy.getBySel(SETTINGS_OUTPUTS.NAME_INPUT).type('name');
+        cy.get('[placeholder="Specify host"').type('localhost:5000');
         cy.getBySel(SETTINGS_OUTPUTS_KAFKA.HEADERS_CLIENT_ID_INPUT).clear();
         cy.getBySel(SETTINGS_SAVE_BTN).click();
 
-        cy.contains('Name is required');
-        cy.contains('Host is required');
         cy.contains('Username is required');
         cy.contains('Password is required');
         cy.contains('Default topic is required');
         cy.contains(
           'Client ID is invalid. Only letters, numbers, dots, underscores, and dashes are allowed.'
         );
-        shouldDisplayError(SETTINGS_OUTPUTS.NAME_INPUT);
         shouldDisplayError(SETTINGS_OUTPUTS_KAFKA.AUTHENTICATION_USERNAME_INPUT);
         shouldDisplayError(SETTINGS_OUTPUTS_KAFKA.AUTHENTICATION_PASSWORD_INPUT);
         shouldDisplayError(SETTINGS_OUTPUTS_KAFKA.TOPICS_DEFAULT_TOPIC_INPUT);
@@ -564,8 +562,12 @@ queue:
         cy.get('[placeholder="Specify host"').clear().type('localhost:5000');
 
         cy.getBySel(SETTINGS_OUTPUTS.SSL_BUTTON).click();
-        cy.get('[placeholder="Specify SSL certificate"]').clear().type('SSL CERTIFICATE');
-        cy.get('[placeholder="Specify certificate key"]').clear().type('SSL KEY');
+        cy.get('[placeholder="Specify SSL certificate"]')
+          .clear()
+          .type('-----BEGIN CERTIFICATE-----', { parseSpecialCharSequences: false });
+        cy.get('[placeholder="Specify certificate key"]')
+          .clear()
+          .type('-----BEGIN PRIVATE KEY-----', { parseSpecialCharSequences: false });
 
         cy.intercept('PUT', '**/api/fleet/outputs/**').as('saveOutput');
 

x-pack/platform/plugins/shared/fleet/public/applications/fleet/sections/settings/components/download_source_flyout/use_download_source_flyout_form.test.tsx

@@ -5,12 +5,116 @@
  * 2.0.
  */
 
+import { act } from '@testing-library/react';
+
+import { createFleetTestRendererMock } from '../../../../../../mock';
+
 import {
   validateHost,
   validateDownloadSourceHeaders,
+  useDowloadSourceFlyoutForm,
   type AuthType,
 } from './use_download_source_flyout_form';
 
+jest.mock('../../../../../../hooks/use_authz', () => ({
+  useAuthz: () => ({
+    fleet: {
+      allSettings: true,
+    },
+  }),
+}));
+
+describe('useDowloadSourceFlyoutForm SSL certificate path validation', () => {
+  it('should block submission when certificate path contains spaces', async () => {
+    const testRenderer = createFleetTestRendererMock();
+    const onSuccess = jest.fn();
+    const { result } = testRenderer.renderHook(() =>
+      useDowloadSourceFlyoutForm(onSuccess, undefined)
+    );
+
+    act(() => {
+      result.current.inputs.nameInput.setValue('My Source');
+      result.current.inputs.hostInput.setValue('https://artifacts.example.com');
+      result.current.inputs.sslCertificateInput.setValue('/path with spaces/cert.pem');
+    });
+
+    await act(() => result.current.submit());
+
+    await testRenderer.waitFor(() => {
+      expect(result.current.inputs.sslCertificateInput.errors).toBeDefined();
+      expect(onSuccess).not.toBeCalled();
+      expect(result.current.isDisabled).toBeTruthy();
+    });
+  });
+
+  it('should block submission when certificate key path contains spaces', async () => {
+    const testRenderer = createFleetTestRendererMock();
+    const onSuccess = jest.fn();
+    const { result } = testRenderer.renderHook(() =>
+      useDowloadSourceFlyoutForm(onSuccess, undefined)
+    );
+
+    act(() => {
+      result.current.inputs.nameInput.setValue('My Source');
+      result.current.inputs.hostInput.setValue('https://artifacts.example.com');
+      result.current.inputs.sslKeyInput.setValue('/path with spaces/key.pem');
+    });
+
+    await act(() => result.current.submit());
+
+    await testRenderer.waitFor(() => {
+      expect(result.current.inputs.sslKeyInput.errors).toBeDefined();
+      expect(onSuccess).not.toBeCalled();
+      expect(result.current.isDisabled).toBeTruthy();
+    });
+  });
+
+  it('should block submission when certificate authorities path contains spaces', async () => {
+    const testRenderer = createFleetTestRendererMock();
+    const onSuccess = jest.fn();
+    const { result } = testRenderer.renderHook(() =>
+      useDowloadSourceFlyoutForm(onSuccess, undefined)
+    );
+
+    act(() => {
+      result.current.inputs.nameInput.setValue('My Source');
+      result.current.inputs.hostInput.setValue('https://artifacts.example.com');
+      result.current.inputs.sslCertificateAuthoritiesInput.props.onChange([
+        '/path with spaces/ca.pem',
+      ]);
+    });
+
+    await act(() => result.current.submit());
+
+    await testRenderer.waitFor(() => {
+      expect(result.current.inputs.sslCertificateAuthoritiesInput.props.errors).toBeDefined();
+      expect(onSuccess).not.toBeCalled();
+      expect(result.current.isDisabled).toBeTruthy();
+    });
+  });
+
+  it('should allow submission when all SSL paths are valid', async () => {
+    const testRenderer = createFleetTestRendererMock();
+    const onSuccess = jest.fn();
+    testRenderer.startServices.http.post.mockResolvedValue({ item: {} });
+    const { result } = testRenderer.renderHook(() =>
+      useDowloadSourceFlyoutForm(onSuccess, undefined)
+    );
+
+    act(() => {
+      result.current.inputs.nameInput.setValue('My Source');
+      result.current.inputs.hostInput.setValue('https://artifacts.example.com');
+      result.current.inputs.sslCertificateInput.setValue('/valid/path/cert.pem');
+      result.current.inputs.sslKeyInput.setValue('/valid/path/key.pem');
+      result.current.inputs.sslCertificateAuthoritiesInput.props.onChange(['/valid/ca.pem']);
+    });
+
+    await act(() => result.current.submit());
+
+    await testRenderer.waitFor(() => expect(onSuccess).toBeCalled());
+  });
+});
+
 describe('Download source form validation', () => {
   describe('validateHost', () => {
     it('should not work without any urls', () => {