Skip to content

Comments

Hide input value from kbn-config-schema error messages#58843

Merged
pgayvallet merged 18 commits intoelastic:masterfrom
pgayvallet:kbn-58652-hide-config-schema-value-in-error
Mar 6, 2020
Merged

Hide input value from kbn-config-schema error messages#58843
pgayvallet merged 18 commits intoelastic:masterfrom
pgayvallet:kbn-58652-hide-config-schema-value-in-error

Conversation

@pgayvallet
Copy link
Contributor

@pgayvallet pgayvallet commented Feb 28, 2020
edited
Loading

Summary

Fix #58652

Note: first commit converts every config-schema's snapshots to inline snapshots (that needed to be done and greatly improve next commit's readability). Would be easier to review by ignoring it.

Checklist

For maintainers

@pgayvallet pgayvallet added Feature:New Platform Team:Core Platform Core services: plugins, logging, config, saved objects, http, ES client, i18n, etc t// v7.7.0 v8.0.0 labels Feb 28, 2020
@elasticmachine
Copy link
Contributor

elasticmachine commented Feb 28, 2020

Pinging @elastic/kibana-platform (Team:Platform)

@pgayvallet pgayvallet marked this pull request as ready for review February 28, 2020 09:00
@pgayvallet pgayvallet requested review from a team as code owners February 28, 2020 09:00
@pgayvallet pgayvallet added the release_note:skip Skip the PR/issue when compiling release notes label Feb 28, 2020
mikecote
mikecote approved these changes Feb 28, 2020
View reviewed changes
Copy link
Contributor

@mikecote mikecote left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alerting changes LGTM

mshustov
mshustov approved these changes Mar 2, 2020
View reviewed changes
packages/kbn-config-schema/src/types/map_of_type.test.ts
test('fails if string input cannot be parsed', () => {
const type = schema.mapOf(schema.string(), schema.string());
expect(() => type.validate(`invalidjson`)).toThrowErrorMatchingInlineSnapshot(
`"could not parse map value from [invalidjson]"`
Copy link
Contributor

@mshustov mshustov Mar 2, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This example and schema.literal, hostname/uri bother me the most. It's would be painful to debug such a message without a real output and could make life harder for our support team. There are just a few fields in the config that could be considered as sensitive, and most of them are defined within the platform. OTOH it's a good practice to have the most strict rules and loosen them by request, so OK for me

Copy link
Contributor Author

@pgayvallet pgayvallet Mar 3, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree and I expressed the same concerns in #58652 (comment). But I guess being consistent in this rule makes the more sense.

Copy link
Contributor Author

@pgayvallet pgayvallet Mar 3, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added this issue to today's weekly discussions just to be sure we all are on the same page here.

kobelb
kobelb reviewed Mar 2, 2020
View reviewed changes
Copy link
Contributor

@kobelb kobelb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for taking this on @pgayvallet!

It looks like ByteSizeValue and Duration are throwing errors with user input, and this can end up within the logs. The likelihood of us having sensitive/secret durations and byte sizes is pretty low, but in an effort to keep all of this consistent, something we should probably address. Were these intentionally excluded?

@pgayvallet
Copy link
Contributor Author

pgayvallet commented Mar 3, 2020

@kobelb These were just overlooked. Fixed in d93bd87

@kobelb
Copy link
Contributor

kobelb commented Mar 3, 2020

I think there's one more within ByteSizeValue

kibana/packages/kbn-config-schema/src/byte_size_value/index.ts

Line 41 in c81e0da

`Failed to parse [${text}] as byte value. Value must be either number of bytes, or follow the format <count>[b|kb|mb|gb] ` +

@pgayvallet
Copy link
Contributor Author

pgayvallet commented Mar 4, 2020

@kobelb hope that was the last one 😄 . PTAL

@kibanamachine
Copy link
Contributor

kibanamachine commented Mar 6, 2020

💚 Build Succeeded

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@pgayvallet pgayvallet merged commit 45fb6f3 into elastic:master Mar 6, 2020
pgayvallet added a commit to pgayvallet/kibana that referenced this pull request Mar 6, 2020
@pgayvallet
Hide input value from kbn-config-schema error messages (elastic#58843)
e383219 
* use inline snapshots instead of snapshots

* hide input value from error messages

* update core snapshots

* update xpack snapshots

* fix ftr assertions

* fix new snapshots

* hide values for byte_size and duration

* update new snapshots

* remove another byte_size value reference

* fix yet another value references in error messages

* update xpack snapshots

* update xpack ftr assertions
@pgayvallet pgayvallet mentioned this pull request Mar 6, 2020
Merged
@kibanamachine kibanamachine added the backport missing Added to PRs automatically when the are determined to be missing a backport. label Mar 7, 2020
@kibanamachine
Copy link
Contributor

kibanamachine commented Mar 7, 2020

Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync.

pgayvallet added a commit that referenced this pull request Mar 8, 2020
@pgayvallet
[7.x] Hide input value from kbn-config-schema error messages (#58843) (
0c57aa8 
…#59565)

* Hide input value from kbn-config-schema error messages (#58843)

* use inline snapshots instead of snapshots

* hide input value from error messages

* update core snapshots

* update xpack snapshots

* fix ftr assertions

* fix new snapshots

* hide values for byte_size and duration

* update new snapshots

* remove another byte_size value reference

* fix yet another value references in error messages

* update xpack snapshots

* update xpack ftr assertions

* update snapshots
@kibanamachine kibanamachine removed the backport missing Added to PRs automatically when the are determined to be missing a backport. label Mar 8, 2020
gmmorris added a commit to gmmorris/kibana that referenced this pull request Mar 9, 2020
@gmmorris
Merge branch 'master' into alerting/view-in-app
57d5b4f 
* master: (154 commits)
  Add an optional authentication mode for HTTP resources (elastic#58589)
  Implement embeddable drilldown menu options (elastic#59232)
  [Alerting] "Create alert" graph visualization design improvements (elastic#59399)
  Alerting update route throttle property is missing (elastic#59580)
  [SIEM] Adds 'Load prebuilt rules' Cypress test (elastic#59529)
  Show error if field is not found during filter rendering (elastic#59298)
  Navigate back to discover app during test, because the saved search from the preceding test has major performance problems when used with this test (elastic#59571)
  Check for alert dialog when doing a force logout (elastic#59329)
  ensure fs deletes are not cwd dependent (elastic#59570)
  Empty message for APM service map (elastic#59518)
  [Drilldowns] <ActionWizard/> Component (elastic#59032)
  [Reporting] Improve the page exit error messages (elastic#59351)
  Ensure logged out starting state for tests that need it (elastic#59322)
  Hide input value from kbn-config-schema error messages (elastic#58843)
  [ML] Transforms: Migrate client plugin to NP. (elastic#59443)
  [ML] Disable failing functional tests
  [SIEM] Update Timeline to use the latest euiFlyoutBody style (elastic#59524)
  Temporarily remove the project mappings for PR labels (elastic#59493)
  [Alerting] replace index threshold graph usage of watcher APIs with new API (elastic#59385)
  [ML] Show view series link in anomalies table for machine_learning_user role (elastic#59549)
  ...
@mshustov mshustov mentioned this pull request Aug 29, 2020
Closed
@mshustov mshustov mentioned this pull request Sep 29, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kobelb kobelb kobelb approved these changes

@mikecote mikecote mikecote approved these changes

+1 more reviewer

@mshustov mshustov mshustov approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Feature:New Platform release_note:skip Skip the PR/issue when compiling release notes Team:Core Platform Core services: plugins, logging, config, saved objects, http, ES client, i18n, etc t// v7.7.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

config-schema shouldn't log sensitive data

6 participants

@pgayvallet @elasticmachine @kobelb @kibanamachine @mshustov @mikecote