Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Saved Object API calls that search for aliases can result in unhandled error #128282

Closed
jportner opened this issue Mar 22, 2022 · 1 comment · Fixed by #128289
Closed

Saved Object API calls that search for aliases can result in unhandled error #128282

jportner opened this issue Mar 22, 2022 · 1 comment · Fixed by #128289
Assignees
@jportner
Labels
bug Fixes for quality problems that affect the customer experience Feature:Saved Objects Feature:Security/Sharing Saved Objects Platform Security - Sharing Saved Objects feature impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@jportner
Copy link
Contributor

jportner commented Mar 22, 2022
edited
Loading

Kibana version:

8.0.0 - 8.1.1

Describe the bug:

This bug was introduced in #116007.

There are three occasions we search for legacy URL aliases of an object:

  1. If you are trying to create a saved object in 3+ spaces, or
  2. If you are attempting to "share" the object (edit its assigned spaces), while collecting its reference graph
  3. If you are attempting to delete an object that exists in * (all current and future spaces)

We search for aliases in the first two situations to prevent a "legacy URL alias conflict" scenario.
We use KQL to search for aliases with a matching sourceId in this situation:

kibana/src/core/server/saved_objects/service/lib/legacy_url_aliases/find_legacy_url_aliases.ts

Lines 69 to 82 in d8a1827

function createAliasKueryFilter(objects: Array<{ type: string; id: string }>) {
const { buildNode } = esKuery.nodeTypes.function;
// Note: these nodes include '.attributes' for type-level fields because these are eventually passed to `validateConvertFilterToKueryNode`, which requires it
const kueryNodes = objects.reduce<unknown[]>((acc, { type, id }) => {
const match1 = buildNode('is', `${LEGACY_URL_ALIAS_TYPE}.attributes.targetType`, type);
const match2 = buildNode('is', `${LEGACY_URL_ALIAS_TYPE}.attributes.sourceId`, id);
acc.push(buildNode('and', [match1, match2]));
return acc;
}, []);
return buildNode('and', [
buildNode('not', buildNode('is', `${LEGACY_URL_ALIAS_TYPE}.attributes.disabled`, true)), // ignore aliases that have been disabled
buildNode('or', kueryNodes),
]);
}

We also use KQL to search for aliases with a matching targetId when deleting a saved object that exists in * (all current and future spaces):

kibana/src/core/server/saved_objects/service/lib/legacy_url_aliases/delete_legacy_url_aliases.ts

Lines 65 to 68 in 4920ace

const { buildNode } = esKuery.nodeTypes.function;
const match1 = buildNode('is', `${LEGACY_URL_ALIAS_TYPE}.targetType`, type);
const match2 = buildNode('is', `${LEGACY_URL_ALIAS_TYPE}.targetId`, id);
const kueryNode = buildNode('and', [match1, match2]);

I discovered that the buildNode function throws an error when parsing any values that contain a : character:

SyntaxError: Expected end of input but ":" found.

This is a problem because saved object IDs can contain : characters, we have almost no validation on saved object IDs (see #105039)

Steps to reproduce:

  1. Run Kibana 8.2 (unreleased)
  2. Try to create an data view in * (all current and future spaces): 
    curl -u elastic:changeme -k -X POST "http://localhost:5601/api/saved_objects/index-pattern/my:pattern" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'
{
  "attributes": {
    "title": "my-pattern-*"
  },
  "initialNamespaces": ["*"]
}
'
  3. Observe the error response: 
    {"statusCode":500,"error":"Internal Server Error","message":"An internal server error occurred. Check Kibana server logs for details."}
  4. Observe the Kibana server logs: 
    [2022-03-22T10:59:03.666-04:00][ERROR][http] SyntaxError: Expected end of input but ":" found.
    at new peg$SyntaxError (/Users/joe/GitHub/kibana-4/node_modules/@kbn/es-query/grammar/index.js:14:20)
    at peg$buildStructuredError (/Users/joe/GitHub/kibana-4/node_modules/@kbn/es-query/grammar/index.js:560:12)
    at peg$parse (/Users/joe/GitHub/kibana-4/node_modules/@kbn/es-query/grammar/index.js:2195:11)
    at fromExpression (/Users/joe/GitHub/kibana-4/node_modules/@kbn/es-query/target_node/kuery/ast/ast.js:26:10)
    at Object.fromLiteralExpression (/Users/joe/GitHub/kibana-4/node_modules/@kbn/es-query/target_node/kuery/ast/ast.js:34:10)
    at Object.buildNodeParams (/Users/joe/GitHub/kibana-4/node_modules/@kbn/es-query/target_node/kuery/functions/is.js:46:53)
    at buildNode (/Users/joe/GitHub/kibana-4/node_modules/@kbn/es-query/target_node/kuery/node_types/function.js:35:22)
    at reduce (/Users/joe/GitHub/kibana-4/src/core/server/saved_objects/service/lib/legacy_url_aliases/find_legacy_url_aliases.ts:75:20)
    at Array.reduce (<anonymous>)
    at createAliasKueryFilter (/Users/joe/GitHub/kibana-4/src/core/server/saved_objects/service/lib/legacy_url_aliases/find_legacy_url_aliases.ts:72:30)

The third scenario (deleting an object) is a bit different, the server catches and swallows the error so the client doesn't see it:

[2022-03-22T11:57:53.064-04:00][ERROR][savedobjects-service.repository] Unable to delete aliases when deleting an object: Expected end of input but ":" found.

Expected behavior:

Searching for aliases shouldn't result in an error.

Any additional context:

This bug doesn't affect users because we don't have anything consumers that use these code paths in 8.0/8.1. But we need to get this fixed for 8.2 because data views are now shareable.
@jportner jportner added bug Fixes for quality problems that affect the customer experience Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Saved Objects Feature:Security/Sharing Saved Objects Platform Security - Sharing Saved Objects feature labels Mar 22, 2022
@jportner jportner self-assigned this Mar 22, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@exalate-issue-sync exalate-issue-sync bot added the impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. label Mar 22, 2022
@jportner jportner mentioned this issue Mar 22, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jportner jportner

Labels
bug Fixes for quality problems that affect the customer experience Feature:Saved Objects Feature:Security/Sharing Saved Objects Platform Security - Sharing Saved Objects feature impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix unhandled alias search errors jportner/kibana
2 participants
@jportner @elasticmachine