[8.18] [ML] Improving anomaly charts object safety (#217552) (#218835)

# Backport

This will backport the following commits from `main` to `8.18`:
- [[ML] Improving anomaly charts object safety
(#217552)](#217552)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"James
Gowdy","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-04-22T14:52:12Z","message":"[ML]
Improving anomaly charts object safety (#217552)\n\nAdds checks for the
values `__proto__` and `prototype` when reading\ndetector fields to
reduce the risk of prototype
pollution.","sha":"60af3ff3d525e830812b0986825d23d7041bef63","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix",":ml","Feature:Anomaly
Detection","backport:version","v9.1.0","v8.19.0","v8.18.1","v9.0.1","v8.17.6"],"title":"[ML]
Improving anomaly charts object
safety","number":217552,"url":"https://github.com/elastic/kibana/pull/217552","mergeCommit":{"message":"[ML]
Improving anomaly charts object safety (#217552)\n\nAdds checks for the
values `__proto__` and `prototype` when reading\ndetector fields to
reduce the risk of prototype
pollution.","sha":"60af3ff3d525e830812b0986825d23d7041bef63"}},"sourceBranch":"main","suggestedTargetBranches":["8.19","8.18","9.0","8.17"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/217552","number":217552,"mergeCommit":{"message":"[ML]
Improving anomaly charts object safety (#217552)\n\nAdds checks for the
values `__proto__` and `prototype` when reading\ndetector fields to
reduce the risk of prototype
pollution.","sha":"60af3ff3d525e830812b0986825d23d7041bef63"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.6","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: James Gowdy <[email protected]>

Author: kibanamachine

x-pack/platform/plugins/shared/ml/server/models/results_service/anomaly_charts.ts

@@ -531,6 +531,11 @@ export function anomalyChartsDataProvider(mlClient: MlClient, client: IScopedClu
         record.partition_field_name ?? record.by_field_name ?? record.over_field_name;
       const firstFieldValue =
         record.partition_field_value ?? record.by_field_value ?? record.over_field_value;
+
+      if (fieldsSafe([firstFieldName, firstFieldValue]) === false) {
+        return;
+      }
+
       if (firstFieldName !== undefined && firstFieldValue !== undefined) {
         const groupsForDetector = detectorsForJob[detectorIndex];
 
@@ -567,25 +572,31 @@ export function anomalyChartsDataProvider(mlClient: MlClient, client: IScopedClu
           const secondFieldName = record.over_field_name ?? record.by_field_name;
           const secondFieldValue = record.over_field_value ?? record.by_field_value;
 
-          if (secondFieldName !== undefined && secondFieldValue !== undefined) {
-            if (dataForGroupValue[secondFieldName] === undefined) {
-              dataForGroupValue[secondFieldName] = Object.create(null);
-            }
+          if (
+            secondFieldName === undefined ||
+            secondFieldValue === undefined ||
+            fieldsSafe([secondFieldName, secondFieldValue]) === false
+          ) {
+            return;
+          }
 
-            const splitsForGroup = dataForGroupValue[secondFieldName];
-            if (splitsForGroup[secondFieldValue] === undefined) {
-              splitsForGroup[secondFieldValue] = Object.create(null);
-            }
+          if (dataForGroupValue[secondFieldName] === undefined) {
+            dataForGroupValue[secondFieldName] = Object.create(null);
+          }
 
-            const dataForSplitValue = splitsForGroup[secondFieldValue];
-            if (dataForSplitValue.maxScoreRecord === undefined) {
+          const splitsForGroup = dataForGroupValue[secondFieldName];
+          if (splitsForGroup[secondFieldValue] === undefined) {
+            splitsForGroup[secondFieldValue] = Object.create(null);
+          }
+
+          const dataForSplitValue = splitsForGroup[secondFieldValue];
+          if (dataForSplitValue.maxScoreRecord === undefined) {
+            dataForSplitValue.maxScore = record.record_score;
+            dataForSplitValue.maxScoreRecord = record;
+          } else {
+            if (record.record_score > dataForSplitValue.maxScore) {
               dataForSplitValue.maxScore = record.record_score;
               dataForSplitValue.maxScoreRecord = record;
-            } else {
-              if (record.record_score > dataForSplitValue.maxScore) {
-                dataForSplitValue.maxScore = record.record_score;
-                dataForSplitValue.maxScoreRecord = record;
-              }
             }
           }
         }
@@ -648,6 +659,15 @@ export function anomalyChartsDataProvider(mlClient: MlClient, client: IScopedClu
     return { records: recordsForSeries, errors: errorMessages };
   }
 
+  function fieldsSafe(fields: Array<string | number | undefined>) {
+    return fields.every((field) => {
+      if (typeof field === 'string') {
+        return field !== '__proto__' && field !== 'prototype';
+      }
+      return true;
+    });
+  }
+
   function buildConfigFromDetector(job: MlJob, detectorIndex: number) {
     const analysisConfig = job.analysis_config;
     const detector = analysisConfig.detectors[detectorIndex];
@@ -948,9 +968,9 @@ export function anomalyChartsDataProvider(mlClient: MlClient, client: IScopedClu
       (record) => (record.function_description || record.function) === ML_JOB_AGGREGATION.LAT_LONG
     );
 
-    const seriesConfigs = recordsToPlot.map((record) =>
-      buildConfig(record, combinedJobRecords[record.job_id])
-    );
+    const seriesConfigs = recordsToPlot
+      .filter((record) => record.job_id !== undefined)
+      .map((record) => buildConfig(record, combinedJobRecords[record.job_id]));
 
     const seriesConfigsNoGeoData = [];