Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Endpoint] Wraps query in parentheses to avoid query exception lists #102612

Merged
merged 2 commits into from
Jun 22, 2021
Merged

[Security Solution][Endpoint] Wraps query in parentheses to avoid query exception lists #102612

merged 2 commits into from
Jun 22, 2021

Conversation

dasansol92
Copy link
Contributor

Summary

This was the query before the changes:
((exception-list-agnostic.attributes.list_type: item AND exception-list-agnostic.attributes.list_id: "endpoint_trusted_apps") AND exception-list-agnostic.attributes.name:(*Eve*) OR exception-list-agnostic.attributes.description:(*Eve*) OR exception-list-agnostic.attributes.entries.value:(*Eve*) OR exception-list-agnostic.attributes.entries.entries.value:(*Eve*))

Without the parentheses we were filtering all that matches name, entries or description without the list_type and list_id filters (because the OR statement without parentheses).

This is the query after the changes:
((exception-list-agnostic.attributes.list_type: item AND exception-list-agnostic.attributes.list_id: "endpoint_trusted_apps") AND (exception-list-agnostic.attributes.name:(*Eve*) OR exception-list-agnostic.attributes.description:(*Eve*) OR exception-list-agnostic.attributes.entries.value:(*Eve*) OR exception-list-agnostic.attributes.entries.entries.value:(*Eve*)))

Now there is no list/exception list returned on this query when filtering by list_id.

For maintainers

@dasansol92 dasansol92 added release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v7.14.0 v7.13.0 auto-backport Deprecated - use backport:version if exact versions are needed labels Jun 18, 2021
@dasansol92 dasansol92 requested a review from a team as a code owner June 18, 2021 08:56
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt)

@dasansol92 dasansol92 mentioned this pull request Jun 18, 2021
Closed
@dasansol92
Copy link
Contributor Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 6.9MB 6.9MB +6.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

ashokaditya
ashokaditya approved these changes Jun 22, 2021
View reviewed changes
Copy link
Member

@ashokaditya ashokaditya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is quite a long query with many terms I would suggest to break this up into smaller clauses and then compose the query predicate. It would be easier to maintain and change in the future.

@dasansol92
Copy link
Contributor Author

Since this is quite a long query with many terms I would suggest to break this up into smaller clauses and then compose the query predicate. It would be easier to maintain and change in the future.

Are you talking about the test?

@ashokaditya
Copy link
Member

Since this is quite a long query with many terms I would suggest to break this up into smaller clauses and then compose the query predicate. It would be easier to maintain and change in the future.

Are you talking about the test?

No not the test. The actual query where the parantheses were missing. I presume this PR adds the test for a change that was done in an earlier PR.

@dasansol92
Copy link
Contributor Author

Since this is quite a long query with many terms I would suggest to break this up into smaller clauses and then compose the query predicate. It would be easier to maintain and change in the future.

Are you talking about the test?

No not the test. The actual query where the parantheses were missing. I presume this PR adds the test for a change that was done in an earlier PR.

Maybe I misunderstood something but no, this test is because the changes on the current query (the ones in this PR).

paul-tavares
paul-tavares approved these changes Jun 22, 2021
View reviewed changes
Copy link
Contributor

@paul-tavares paul-tavares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one questions - but other than that, LGTM 🚢

x-pack/plugins/security_solution/public/management/common/utils.test.ts
@@ -35,7 +35,7 @@ describe('utils', () => {
searchableFields
)
).toBe(
"exception-list-agnostic.attributes.name:(*this'is%&query\\{\\}[]!¿?with.,-+`´special\\<\\>ºª@#|·chars*) OR exception-list-agnostic.attributes.description:(*this'is%&query\\{\\}[]!¿?with.,-+`´special\\<\\>ºª@#|·chars*) OR exception-list-agnostic.attributes.entries.value:(*this'is%&query\\{\\}[]!¿?with.,-+`´special\\<\\>ºª@#|·chars*) OR exception-list-agnostic.attributes.entries.entries.value:(*this'is%&query\\{\\}[]!¿?with.,-+`´special\\<\\>ºª@#|·chars*)"
"(exception-list-agnostic.attributes.name:(*this'is%&query\\{\\}[]!¿?with.,-+`´special\\<\\>ºª@#|·chars*) OR exception-list-agnostic.attributes.description:(*this'is%&query\\{\\}[]!¿?with.,-+`´special\\<\\>ºª@#|·chars*) OR exception-list-agnostic.attributes.entries.value:(*this'is%&query\\{\\}[]!¿?with.,-+`´special\\<\\>ºª@#|·chars*) OR exception-list-agnostic.attributes.entries.entries.value:(*this'is%&query\\{\\}[]!¿?with.,-+`´special\\<\\>ºª@#|·chars*))"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. First: I'm dizzy looking at this. Second: 👏

Question: I don't see a ( or ) used as a value in the above test. Do we need to escape it if the user enters it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, we don't need to escape it as it will be between ** inside each query for each field

@dasansol92 dasansol92 merged commit c940da4 into elastic:master Jun 22, 2021
kibanamachine added a commit to kibanamachine/kibana that referenced this pull request Jun 22, 2021
@dasansol92 @kibanamachine
Wraps query in parentheses to avoid quering exception lists (elastic#…
d2f38d8 
…102612)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
@kibanamachine kibanamachine mentioned this pull request Jun 22, 2021
Merged
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
7.x

This backport PR will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Jun 22, 2021
@kibanamachine @dasansol92
Wraps query in parentheses to avoid quering exception lists (#102612) (
9070345 
…#102941)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: David Sánchez <davidsansol92@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ashokaditya ashokaditya ashokaditya approved these changes

@paul-tavares paul-tavares paul-tavares approved these changes

Assignees
No one assigned
Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v7.14.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dasansol92 @elasticmachine @kibanamachine @ashokaditya @paul-tavares