Audit usage of server-side code generation from strings

[legrego]

This is essentially a server-side version of #36311.

Code generation from strings is a powerful tool, but with great power comes...a significant increase in attack surface.

Node.js has a --disallow-code-generation-from-strings command line argument that allows us to block this feature altogether. Before we can even consider such a drastic measure, we should audit all places that Kibana directly and indirectly requires this functionality.

Ideally, this would run as part of CI for the functional UI tests and fail CI if we find new usages which aren't already known. This will let us work toward removing all existing usages without continuing to add new usages which later have to be addressed. We could also potentially use this same approach as part of dev mode to catch violations which aren't covered by the functional ui tests.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[legrego]

@watson I know you had made some progress on this a while back. If you still have the branch available, would you be able to reference it here so we don't lose track of your work?

[watson]

@legrego 👍 Will pack together what I have and push it to a branch ASAP

[watson]

This is the current status:

Initially I thought it was possible to simply overwrite the global eval / Function with a custom eval that would allow hooks to be added. I developed an npm package for that called codegen-audit. However, in the initial testing it turned out that this approach didn't work as overwriting eval had side effects. So this package was never published to npm, and still just lives in my repo: https://github.com/watson/codegen-audit (there's also a wip branch in the codegen-audit repo, which contain code that I was in the middle of writing when the project was paused: https://github.com/watson/codegen-audit/tree/wip)

Instead we need to add official hooks into the eval / Function code inside Node.js core. I collaborated on a PR to do that here: nodejs/node#35157

However, that PR doesn't work as is (which is also why it was never merged) because it requires some changes to V8 itself. I never got around to making these changes in V8, which is where the work is currently stranded. I believe the details of what needs to be done is documented in the above PR.

The TL;DR is that the V8 hooks into eval / Function doesn't expect JavaScript code to be called from within the hooks - only C/C++ code. So when that happens the memory is in an unknown state and the Node.js processes crashes. All that's needed is for the V8 code to be augmented with a few lines of code so it correctly handles the memory issue. So this should be fairly simple to do.

Finally I have a WIP commit/branch of Kibana which I pushed to my fork of Kibana which ties all this together: You can see the source here: main...watson:kibana:audit-code-gen

[watson]

I took a stab at recreating the original Node.js PR and to work on where in V8 the mentioned changes needed to go. I've created a new draft PR for the purpose of getting help with the V8 changes as I'm not that familiar with the V8 codebase: nodejs/node#48295