elasticmachine
commented
2 years ago Pinging @elastic/response-ops (Team:ResponseOps)
Open XavierM opened 2 years ago
elasticmachine
commented
2 years ago Pinging @elastic/response-ops (Team:ResponseOps)
chrisronline
commented
2 years ago @XavierM Can you provide an example of where you've done this before? I think you showed me but I forgot
XavierM
commented
2 years ago I think we can do something like that to validate our request from our search strategy, so we only get what we expect and if not we throw an error to our user. So we make sure nothing get injected without our approval. What do you think?
import { schema as s } from '@kbn/config-schema';
import { sortSchema } from '../../../../../src/core/server/saved_objects/service/lib/aggregations/aggs_types/common_schemas';
export const alertsSearchRequestSchema = s.object({
featureIds: s.arrayOf(
s.oneOf([
s.literal('apm'),
s.literal('logs'),
s.literal('infrastructure'),
s.literal('observability'),
s.literal('siem'),
s.literal('uptime'),
])
),
query: s.maybe(
s.object({
bool: s.recordOf(s.string(), s.oneOf([s.string(), s.boolean(), s.number(), s.object({})])),
})
),
sort: s.maybe(sortSchema),
pagination: s.maybe(
s.object({
pageIndex: s.number(),
pageSize: s.number(),
})
),
});
...
// And then we do that in our search strategy
alertsSearchRequestSchema.validate(request, {}, '')
We should validate our request coming from search strategy by using kibana schema, it will allow us to have more control on our API side and tell our user what we are allowing or not.