search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.47k stars 8.04k forks source link

[Console][Monaco] Requests can be sent without verb #186768

Open sakurai-youhei opened 1 week ago

sakurai-youhei commented 1 week ago

Kibana version: 74a202a79a116d3b56396783c465522bc56fc59c

Elasticsearch version: 8.15.0-SNAPSHOT

Server OS version: Linux wsl 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Browser version: Chrome Version 126.0.6478.63 (Official Build) (64-bit)

Browser OS version: Windows 11 10.0.22621 N/A Build 22621

Original install method (e.g. download page, yum, from source, etc.): Build from source

Describe the bug: The console allows POST-ing to /api/console/proxy?path=&method=, which is probably unintended behavior and should be gated prior to the API call; these kinds of API calls are blocked on 8.14.1.

Steps to reproduce:

  1. Go to Kibana > Dev Tools > Console.
  2. Type in 1 at a blank line.
  3. Press Ctrl+i to make an API call.

Expected behavior: The API call is blocked like on 8.14.1. image

Screenshots (if relevant): image

Errors in browser console (if relevant):

POST http://localhost:5601/gor/api/console/proxy?path=&method= 400 (Bad Request)
elasticmachine commented 1 week ago

Pinging @elastic/kibana-management (Team:Kibana Management)

yuliacech commented 9 minutes ago

The code in MonacoEditorActionsProvider should check if the request is valid before doing any request actions like sending the request, opening documentation etc