This is essentially a server-side version of #36311.
Code generation from strings is a powerful tool, but with great power comes...a significant increase in attack surface.
Node.js has a --disallow-code-generation-from-strings command line argument that allows us to block this feature altogether. Before we can even consider such a drastic measure, we should audit all places that Kibana directly and indirectly requires this functionality.
Ideally, this would run as part of CI for the functional UI tests and fail CI if we find new usages which aren't already known. This will let us work toward removing all existing usages without continuing to add new usages which later have to be addressed. We could also potentially use this same approach as part of dev mode to catch violations which aren't covered by the functional ui tests.
This is essentially a server-side version of #36311.
Code generation from strings is a powerful tool, but with great power comes...a significant increase in attack surface.
Node.js has a
--disallow-code-generation-from-stringscommand line argument that allows us to block this feature altogether. Before we can even consider such a drastic measure, we should audit all places that Kibana directly and indirectly requires this functionality.Ideally, this would run as part of CI for the functional UI tests and fail CI if we find new usages which aren't already known. This will let us work toward removing all existing usages without continuing to add new usages which later have to be addressed. We could also potentially use this same approach as part of dev mode to catch violations which aren't covered by the functional ui tests.