From 12fa43c87885fc892a3adee7e699141a24e218ff Mon Sep 17 00:00:00 2001 From: Kawika Avilla Date: Thu, 1 Dec 2022 11:48:54 +0000 Subject: [PATCH] Add disablePrototypePoisoningProtection configuration Enables the configuration of `disablePrototypePoisoningProtection` by setting `opensearch.disablePrototypePoisoningProtection`. Enables users to store protected logs that include reserve words from JS without the OpenSearch JS client throwing errors. Related issue: https://github.com/opensearch-project/OpenSearch-Dashboards/issues/1777 Signed-off-by: Kawika Avilla --- CHANGELOG.md | 1 + config/opensearch_dashboards.yml | 3 +++ .../opensearch/client/client_config.test.ts | 18 ++++++++++++++++++ .../server/opensearch/client/client_config.ts | 5 +++++ .../opensearch/opensearch_config.test.ts | 1 + .../server/opensearch/opensearch_config.ts | 8 ++++++++ .../resources/bin/opensearch-dashboards-docker | 1 + yarn.lock | 5 ----- 8 files changed, 37 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0bdc2bbe1b2f..b5457443dab1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,6 +46,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - [Vis Builder] Add field summary popovers ([#2682](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2682)) - [I18n] Register ru, ru-RU locale ([#2817](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2817)) - Add yarn opensearch arg to setup plugin dependencies ([#2544](https://github.com/opensearch-project/OpenSearch-Dashboards/issues/2544)) +- Add disablePrototypePoisoningProtection configuration ([#2992](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2992)) ### 🐛 Bug Fixes diff --git a/config/opensearch_dashboards.yml b/config/opensearch_dashboards.yml index 4d81b0b3be69..0acca0a81449 100644 --- a/config/opensearch_dashboards.yml +++ b/config/opensearch_dashboards.yml @@ -107,6 +107,9 @@ # Logs queries sent to OpenSearch. Requires logging.verbose set to true. #opensearch.logQueries: false +# Disables errors from client and enables you to utilize protected words within cluster +#opensearch.disablePrototypePoisoningProtection: false + # Specifies the path where OpenSearch Dashboards creates the process ID file. #pid.file: /var/run/opensearchDashboards.pid diff --git a/src/core/server/opensearch/client/client_config.test.ts b/src/core/server/opensearch/client/client_config.test.ts index d32508ec43aa..b3d1ff95d7dc 100644 --- a/src/core/server/opensearch/client/client_config.test.ts +++ b/src/core/server/opensearch/client/client_config.test.ts @@ -184,6 +184,24 @@ describe('parseClientOptions', () => { ] `); }); + + it('`disablePrototypePoisoningProtection` option', () => { + expect( + parseClientOptions(createConfig({ disablePrototypePoisoningProtection: false }), false) + .disablePrototypePoisoningProtection + ).toEqual(false); + expect( + parseClientOptions(createConfig({ disablePrototypePoisoningProtection: true }), false) + .disablePrototypePoisoningProtection + ).toEqual(true); + + expect( + parseClientOptions(createConfig({}), false).disablePrototypePoisoningProtection + ).toBeUndefined(); + expect( + parseClientOptions(createConfig({}), true).disablePrototypePoisoningProtection + ).toBeUndefined(); + }); }); describe('authorization', () => { diff --git a/src/core/server/opensearch/client/client_config.ts b/src/core/server/opensearch/client/client_config.ts index 6746ee5648ed..0432bb8ddfd6 100644 --- a/src/core/server/opensearch/client/client_config.ts +++ b/src/core/server/opensearch/client/client_config.ts @@ -52,6 +52,7 @@ export type OpenSearchClientConfig = Pick< | 'hosts' | 'username' | 'password' + | 'disablePrototypePoisoningProtection' > & { memoryCircuitBreaker?: | OpenSearchConfig['memoryCircuitBreaker'] @@ -115,6 +116,10 @@ export function parseClientOptions(config: OpenSearchClientConfig, scoped: boole ); } + if (config.disablePrototypePoisoningProtection != null) { + clientOptions.disablePrototypePoisoningProtection = config.disablePrototypePoisoningProtection; + } + return clientOptions; } diff --git a/src/core/server/opensearch/opensearch_config.test.ts b/src/core/server/opensearch/opensearch_config.test.ts index 25cbee718d00..d7a17c12d293 100644 --- a/src/core/server/opensearch/opensearch_config.test.ts +++ b/src/core/server/opensearch/opensearch_config.test.ts @@ -72,6 +72,7 @@ test('set correct defaults', () => { OpenSearchConfig { "apiVersion": "7.x", "customHeaders": Object {}, + "disablePrototypePoisoningProtection": undefined, "healthCheckDelay": "PT2.5S", "hosts": Array [ "http://localhost:9200", diff --git a/src/core/server/opensearch/opensearch_config.ts b/src/core/server/opensearch/opensearch_config.ts index 9b7bdff21cdc..fee26c354fbe 100644 --- a/src/core/server/opensearch/opensearch_config.ts +++ b/src/core/server/opensearch/opensearch_config.ts @@ -142,6 +142,7 @@ export const configSchema = schema.object({ }), schema.boolean({ defaultValue: false }) ), + disablePrototypePoisoningProtection: schema.maybe(schema.boolean({ defaultValue: false })), }); const deprecations: ConfigDeprecationProvider = ({ renameFromRoot, renameFromRootWithoutMap }) => [ @@ -318,6 +319,12 @@ export class OpenSearchConfig { */ public readonly customHeaders: OpenSearchConfigType['customHeaders']; + /** + * Specifies whether the client should attempt to protect against reserved words + * or not. + */ + public readonly disablePrototypePoisoningProtection?: boolean; + constructor(rawConfig: OpenSearchConfigType) { this.ignoreVersionMismatch = rawConfig.ignoreVersionMismatch; this.apiVersion = rawConfig.apiVersion; @@ -338,6 +345,7 @@ export class OpenSearchConfig { this.username = rawConfig.username; this.password = rawConfig.password; this.customHeaders = rawConfig.customHeaders; + this.disablePrototypePoisoningProtection = rawConfig.disablePrototypePoisoningProtection; const { alwaysPresentCertificate, verificationMode } = rawConfig.ssl; const { key, keyPassphrase, certificate, certificateAuthorities } = readKeyAndCerts(rawConfig); diff --git a/src/dev/build/tasks/os_packages/docker_generator/resources/bin/opensearch-dashboards-docker b/src/dev/build/tasks/os_packages/docker_generator/resources/bin/opensearch-dashboards-docker index a5cefbc2397c..de9ec4e4b5de 100755 --- a/src/dev/build/tasks/os_packages/docker_generator/resources/bin/opensearch-dashboards-docker +++ b/src/dev/build/tasks/os_packages/docker_generator/resources/bin/opensearch-dashboards-docker @@ -50,6 +50,7 @@ opensearch_dashboards_vars=( opensearch.ssl.truststore.password opensearch.ssl.verificationMode opensearch.username + opensearch.disablePrototypePoisoningProtection i18n.locale interpreter.enableInVisualize opensearchDashboards.autocompleteTerminateAfter diff --git a/yarn.lock b/yarn.lock index 822684d097bd..b40434b8fc20 100644 --- a/yarn.lock +++ b/yarn.lock @@ -16566,11 +16566,6 @@ strip-json-comments@3.1.1, strip-json-comments@^3.0.1, strip-json-comments@^3.1. resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-3.1.1.tgz#31f1281b3832630434831c310c01cccda8cbe006" integrity sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig== -strip-json-comments@~2.0.1: - version "2.0.1" - resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-2.0.1.tgz#3c531942e908c2697c0ec344858c286c7ca0a60a" - integrity sha1-PFMZQukIwml8DsNEhYwobHygpgo= - strong-log-transformer@^2.1.0: version "2.1.0" resolved "https://registry.yarnpkg.com/strong-log-transformer/-/strong-log-transformer-2.1.0.tgz#0f5ed78d325e0421ac6f90f7f10e691d6ae3ae10"