elasticmachine
commented
1 month ago Pinging @elastic/response-ops (Team:ResponseOps)
Closed cnasikas closed 2 weeks ago
elasticmachine
commented
1 month ago Pinging @elastic/response-ops (Team:ResponseOps)
Zacqary
commented
1 month ago There is a bug in our code that registers the following API GET [/internal/alerting/rules/_find] with public access.
Do you mean excludeFromPublicApi: false, in this block?
export const findInternalRulesRoute = (
router: IRouter<AlertingRequestHandlerContext>,
licenseState: ILicenseState,
usageCounter?: UsageCounter
) => {
buildFindRulesRoute({
excludeFromPublicApi: false,
licenseState,
path: INTERNAL_ALERTING_API_FIND_RULES_PATH,
router,
usageCounter,
});
};I think that's just a confusingly named variable. Note how the public route uses excludeFromPublicApi: true. This variable, if true, excludes all fields that are in fieldsToExcludeFromPublicApi from the response:
if (excludeFromPublicApi) {
try {
validateOperationOnAttributes(
filterKueryNode,
sortField,
restOptions.searchFields,
context.fieldsToExcludeFromPublicApi
);
} Oh never mind it's access: 'public' in the options
cnasikas
commented
1 month ago Yes, that's it, access: 'public'! findInternalRulesRoute calls buildFindRulesRoute which in turn on L41 calls router.get with access: 'public' and path: INTERNAL_ALERTING_API_FIND_RULES_PATH.
There is a bug in our code that registers the following API
GET [/internal/alerting/rules/_find]with public access. This happens because the same code is being used to register a public and internal API. The function to register is being called twice, one for the public and one for internal usage. There are no checks in place that guards the registration of the public route when is being called to register the internal usage.