[Osquery] Add osquery response action privilege checks to external Api#260947
Draft
tomsonpl wants to merge 5 commits intoelastic:mainfrom
Draft
[Osquery] Add osquery response action privilege checks to external Api#260947tomsonpl wants to merge 5 commits intoelastic:mainfrom
tomsonpl wants to merge 5 commits intoelastic:mainfrom
Conversation
Contributor
|
🤖 Jobs for this PR can be triggered through checkboxes. 🚧
ℹ️ To trigger the CI, please tick the checkbox below 👇
|
Contributor
Author
|
/ci |
Contributor
⏳ Build in-progress, with failures
Failed CI StepsHistorycc @tomsonpl |
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
|
|
||
| getEndpointService: () => endpointAppContextService, | ||
|
|
||
| getCheckOsqueryResponseActionAuthz: () => (params) => |
Contributor
There was a problem hiding this comment.
🟡 Medium server/request_context_factory.ts:194
The new getCheckOsqueryResponseActionAuthz method accesses plugins.osquery.checkResponseActionAuthz without null-checking plugins.osquery. If the osquery plugin is optional and not installed, invoking this method throws TypeError: Cannot read property 'checkResponseActionAuthz' of undefined at runtime. Consider adding optional chaining: plugins.osquery?.checkResponseActionAuthz.
🤖 Copy this AI Prompt to have your agent fix this:
In file x-pack/solutions/security/plugins/security_solution/server/request_context_factory.ts around line 194:
The new `getCheckOsqueryResponseActionAuthz` method accesses `plugins.osquery.checkResponseActionAuthz` without null-checking `plugins.osquery`. If the osquery plugin is optional and not installed, invoking this method throws `TypeError: Cannot read property 'checkResponseActionAuthz' of undefined` at runtime. Consider adding optional chaining: `plugins.osquery?.checkResponseActionAuthz`.
Evidence trail:
- x-pack/solutions/security/plugins/security_solution/server/request_context_factory.ts lines 194-195 (REVIEWED_COMMIT): new code `getCheckOsqueryResponseActionAuthz: () => (params) => plugins.osquery.checkResponseActionAuthz(request, params)`
- x-pack/solutions/security/plugins/security_solution/server/plugin_contract.ts line 79: `osquery: OsqueryPluginSetup;` (non-optional type declaration)
- x-pack/solutions/security/plugins/security_solution/kibana.jsonc lines 81-95: `osquery` listed in `optionalPlugins` array
| } | ||
| break; | ||
| } | ||
| } else if (isOsqueryResponseAction(actionData)) { |
Contributor
There was a problem hiding this comment.
🟡 Medium utils/rule_response_actions_validators.ts:175
When isOsqueryResponseAction matches a RuleResponseOsqueryAction from an existing rule, the authorization check at line 178-181 only looks for snake_case keys (saved_query_id, pack_id) in params, but RuleResponseOsqueryAction uses camelCase (savedQueryId, packId). This causes the check to always pass undefined for both fields, bypassing authorization validation for osquery actions with camelCase params.
🤖 Copy this AI Prompt to have your agent fix this:
In file x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/utils/rule_response_actions_validators.ts around line 175:
When `isOsqueryResponseAction` matches a `RuleResponseOsqueryAction` from an existing rule, the authorization check at line 178-181 only looks for snake_case keys (`saved_query_id`, `pack_id`) in `params`, but `RuleResponseOsqueryAction` uses camelCase (`savedQueryId`, `packId`). This causes the check to always pass `undefined` for both fields, bypassing authorization validation for osquery actions with camelCase params.
Evidence trail:
1. x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/utils/rule_response_actions_validators.ts lines 175-181 - authorization check only uses snake_case keys
2. x-pack/solutions/security/plugins/security_solution/server/endpoint/services/actions/utils/rule_response_actions_validators.ts lines 315-323 - `isOsqueryResponseAction` matches both `OsqueryResponseAction` and `RuleResponseOsqueryAction`
3. x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_response_actions/response_actions.gen.ts lines 78-84 - `OsqueryParamsCamelCase` uses camelCase keys (`savedQueryId`, `packId`)
4. x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_response_actions/response_actions.gen.ts lines 93-96 - `RuleResponseOsqueryAction` uses `params: OsqueryParamsCamelCase`
5. x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_response_actions/osquery_response_action.test.ts lines 51-56 and 71-76 - test confirms `RuleResponseOsqueryAction` uses camelCase (`packId`, `savedQueryId`)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.