prevent parens and whitespace in consumer or alerttypeid

gmmorris · Jun 24, 2020 · 3ccb14f · 3ccb14f
1 parent cc06e67
commit 3ccb14f
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 10 deletions.
diff --git a/x-pack/plugins/alerts/server/authorization/alerts_authorization.test.ts b/x-pack/plugins/alerts/server/authorization/alerts_authorization.test.ts
@@ -816,12 +816,20 @@ describe('ensureFieldIsSafeForQuery', () => {
       `expected id not to include invalid character: <=`
     );
 
-    expect(() => ensureFieldIsSafeForQuery('id', '<"" or >=""')).toThrowError(
-      `expected id not to include invalid characters: <, >=`
+    expect(() => ensureFieldIsSafeForQuery('id', '>=""')).toThrowError(
+      `expected id not to include invalid character: >=`
     );
 
     expect(() => ensureFieldIsSafeForQuery('id', '1 or alertid:123')).toThrowError(
-      `expected id not to include invalid character: :`
+      `expected id not to include whitespace and invalid character: :`
+    );
+
+    expect(() => ensureFieldIsSafeForQuery('id', ') or alertid:123')).toThrowError(
+      `expected id not to include whitespace and invalid characters: ), :`
+    );
+
+    expect(() => ensureFieldIsSafeForQuery('id', 'some space')).toThrowError(
+      `expected id not to include whitespace`
     );
   });
 

diff --git a/x-pack/plugins/alerts/server/authorization/alerts_authorization.ts b/x-pack/plugins/alerts/server/authorization/alerts_authorization.ts
@@ -5,7 +5,7 @@
  */
 
 import Boom from 'boom';
-import { pluck, mapValues } from 'lodash';
+import { pluck, mapValues, remove } from 'lodash';
 import { KibanaRequest } from 'src/core/server';
 import { ALERTS_FEATURE_ID } from '../../common';
 import { AlertTypeRegistry } from '../types';
@@ -269,13 +269,17 @@ export class AlertsAuthorization {
 }
 
 export function ensureFieldIsSafeForQuery(field: string, value: string): boolean {
-  const invalid = value.match(/[>=<\*:]+/g);
+  const invalid = value.match(/([>=<\*:()]+|\s+)/g);
   if (invalid) {
-    throw new Error(
-      `expected ${field} not to include invalid character${
-        invalid.length > 1 ? `s` : ``
-      }: ${invalid?.join(`, `)}`
-    );
+    const whitespace = remove(invalid, (chars) => chars.trim().length === 0);
+    const errors = [];
+    if (whitespace.length) {
+      errors.push(`whitespace`);
+    }
+    if (invalid.length) {
+      errors.push(`invalid character${invalid.length > 1 ? `s` : ``}: ${invalid?.join(`, `)}`);
+    }
+    throw new Error(`expected ${field} not to include ${errors.join(' and ')}`);
   }
   return true;
 }