Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE] Handle invalid query, index and date in vega charts filter handlers #1932

Merged
merged 3 commits into from
Jul 28, 2022
Merged

[CVE] Handle invalid query, index and date in vega charts filter handlers #1932

merged 3 commits into from
Jul 28, 2022

Conversation

bandinib-amzn
Copy link
Member

Description

Potential way to prevent XSS vulnerability discovered in the Vega charts OSD integration.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23713

Signed-off-by: Bandini Bhopi bandinib@amazon.com

Testing:

Sanity testing by creating Vega visualization from Vega Example Gallery

Check List

  • New functionality includes testing.
    • All tests pass
      • yarn test:jest
      • yarn test:jest_integration
      • yarn test:ftr
  • New functionality has been documented.
  • Commits are signed per the DCO using --signoff

@bandinib-amzn
[CVE] Handle invalid query, index and date in vega charts filter hand…
a2870ab 
…lers

Potential way to prevent XSS vulnerability discovered in the Vega charts OSD integration.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23713

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>
@bandinib-amzn bandinib-amzn marked this pull request as ready for review July 22, 2022 22:19
@bandinib-amzn bandinib-amzn requested a review from a team as a code owner July 22, 2022 22:19
@bandinib-amzn bandinib-amzn self-assigned this Jul 22, 2022
@bandinib-amzn bandinib-amzn added medium severity Medium severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels Jul 22, 2022
@seraphjiang seraphjiang requested a review from ZilongX July 22, 2022 23:08
kavilla
kavilla reviewed Jul 24, 2022
View reviewed changes
Copy link
Member

@kavilla kavilla left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty good! Just some license headers stuff and we can probably backport this to the 1.x branch.

packages/osd-std/src/validate_object.test.ts Show resolved Hide resolved
packages/osd-std/src/validate_object.ts Outdated Show resolved Hide resolved
src/plugins/vis_type_vega/public/data_model/utils.test.js Outdated Show resolved Hide resolved
bandinib-amzn and others added 2 commits July 26, 2022 19:10
@codecov-commenter
Copy link

Codecov Report

Merging #1932 (995df04) into main (57a751e) will increase coverage by 0.01%.
The diff coverage is 84.44%.

@@            Coverage Diff             @@
##             main    #1932      +/-   ##
==========================================
+ Coverage   67.48%   67.50%   +0.01%     
==========================================
  Files        3076     3077       +1     
  Lines       59144    59184      +40     
  Branches     8989     9003      +14     
==========================================
+ Hits        39915    39953      +38     
- Misses      17044    17045       +1     
- Partials     2185     2186       +1
Impacted Files Coverage Δ
...s/vis_type_vega/public/vega_view/vega_base_view.js 55.55% <0.00%> (ø)
packages/osd-std/src/validate_object.ts 91.30% <91.30%> (ø)
...c/plugins/vis_type_vega/public/data_model/utils.ts 73.33% <100.00%> (+34.87%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us.

manasvinibs
manasvinibs approved these changes Jul 26, 2022
View reviewed changes
Copy link
Member

@manasvinibs manasvinibs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ananzh ananzh merged commit 9496da3 into opensearch-project:main Jul 28, 2022
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jul 28, 2022
@bandinib-amzn @github-actions
[CVE] Handle invalid query, index and date in vega charts filter hand…
220222a 
…lers (#1932)

* [CVE] Handle invalid query, index and date in vega charts filter handlers

Potential way to prevent XSS vulnerability discovered in the Vega charts OSD integration.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23713

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

* new license header for new files

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

Co-authored-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 9496da3)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Jul 28, 2022
Merged
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jul 28, 2022
@bandinib-amzn @github-actions
[CVE] Handle invalid query, index and date in vega charts filter hand…
dc6d9d5 
…lers (#1932)

* [CVE] Handle invalid query, index and date in vega charts filter handlers

Potential way to prevent XSS vulnerability discovered in the Vega charts OSD integration.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23713

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

* new license header for new files

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

Co-authored-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 9496da3)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Jul 28, 2022
Merged
kavilla pushed a commit that referenced this pull request Jul 29, 2022
@opensearch-trigger-bot @bandinib-amzn
[CVE] Handle invalid query, index and date in vega charts filter hand…
116f432 
…lers (#1932) (#2002)

* [CVE] Handle invalid query, index and date in vega charts filter handlers

Potential way to prevent XSS vulnerability discovered in the Vega charts OSD integration.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23713

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

* new license header for new files

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

Co-authored-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 9496da3)

Co-authored-by: Bandini <63824432+bandinib-amzn@users.noreply.github.com>
@bandinib-amzn bandinib-amzn deleted the vega-charts-cve branch August 2, 2022 05:09
noCharger pushed a commit that referenced this pull request Aug 3, 2022
@bandinib-amzn @kavilla @noCharger
[CVE] Handle invalid query, index and date in vega charts filter hand…
f38b65e 
…lers (#1932)

* [CVE] Handle invalid query, index and date in vega charts filter handlers

Potential way to prevent XSS vulnerability discovered in the Vega charts OSD integration.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23713

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

* new license header for new files

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

Co-authored-by: Kawika Avilla <kavilla414@gmail.com>
CPTNB pushed a commit to CPTNB/OpenSearch-Dashboards that referenced this pull request Aug 8, 2022
@bandinib-amzn @kavilla @CPTNB
[CVE] Handle invalid query, index and date in vega charts filter hand…
e545784 
…lers (opensearch-project#1932)

* [CVE] Handle invalid query, index and date in vega charts filter handlers

Potential way to prevent XSS vulnerability discovered in the Vega charts OSD integration.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23713

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

* new license header for new files

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

Co-authored-by: Kawika Avilla <kavilla414@gmail.com>
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Aug 23, 2022
Merged
opensearch-trigger-bot bot pushed a commit that referenced this pull request Aug 23, 2022
@bandinib-amzn @github-actions
[CVE] Handle invalid query, index and date in vega charts filter hand…
b585e3f 
…lers (#1932)

* [CVE] Handle invalid query, index and date in vega charts filter handlers

Potential way to prevent XSS vulnerability discovered in the Vega charts OSD integration.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23713

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

* new license header for new files

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

Co-authored-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 9496da3)
ananzh pushed a commit that referenced this pull request Sep 7, 2022
@opensearch-trigger-bot @bandinib-amzn
[CVE] Handle invalid query, index and date in vega charts filter hand…
bc135be 
…lers (#1932) (#2001)

* [CVE] Handle invalid query, index and date in vega charts filter handlers

Potential way to prevent XSS vulnerability discovered in the Vega charts OSD integration.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23713

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

* new license header for new files

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

Co-authored-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 9496da3)

Co-authored-by: Bandini <63824432+bandinib-amzn@users.noreply.github.com>
kavilla pushed a commit that referenced this pull request Sep 12, 2022
@opensearch-trigger-bot @bandinib-amzn
[CVE] Handle invalid query, index and date in vega charts filter hand…
7a5123e 
…lers (#1932) (#2191)

* [CVE] Handle invalid query, index and date in vega charts filter handlers

Potential way to prevent XSS vulnerability discovered in the Vega charts OSD integration.

CVE link:
https://nvd.nist.gov/vuln/detail/CVE-2022-23713

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

* new license header for new files

Signed-off-by: Bandini Bhopi <bandinib@amazon.com>

Co-authored-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 9496da3)

Co-authored-by: Bandini <63824432+bandinib-amzn@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ZilongX ZilongX ZilongX approved these changes

@manasvinibs manasvinibs manasvinibs approved these changes

@kavilla kavilla Awaiting requested review from kavilla kavilla is a code owner

Assignees

@bandinib-amzn bandinib-amzn

Labels
backport 1.3 backport 2.x cve Security vulnerabilities detected by Dependabot or Mend medium severity Medium severity CVE v1.3.6 v2.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@bandinib-amzn @codecov-commenter @kavilla @ZilongX @manasvinibs @joshuarrrr @ananzh