Merge branch 'opensearch-project:main' into main

CHANGELOG.md

@@ -16,6 +16,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - [CVE-2022-25912] Bumps simple-git from 3.4.0 to 3.15.0 ([#3036](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3036))
 - [CVE-2022-35256] Bumps node version from 14.20.0 to 14.20.1 [#3166](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3166))
 - [CVE-2022-46175] Bumps json5 version from 1.0.1 and 2.2.1 to 1.0.2 and 2.2.3 ([#3201](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3201))
+- [CVE-2022-25860] Bumps simple-git from 3.15.1 to 3.16.0 ([#3345](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3345))
 
 ### 📈 Features/Enhancements
 
@@ -56,7 +57,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - [Vis Builder] Add app filter and query persistence without using state container ([#3100](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3100))
 - [Optimizer] Increase timeout waiting for the exiting of an optimizer worker ([#3193](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3193))
 - [Data] Update `createAggConfig` so that newly created configs can be added to beginning of `aggConfig` array ([#3160](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3160))
-
+- Add disablePrototypePoisoningProtection configuration to prevent JS client from erroring when cluster utilizes JS reserved words ([#2992](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2992))
 
 ### 🐛 Bug Fixes
 
@@ -121,6 +122,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - Removes `minimatch` manual resolution ([#3019](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3019))
 - Remove `github-checks-reporter`, an unused dependency ([#3126](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3126))
 - Upgrade `vega-lite` dependency to ^5.6.0 ([#3076](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3076))
+- Bumps `re2` and `supertest` ([3018](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3018))
 
 ### 🪛 Refactoring
 

config/opensearch_dashboards.yml

@@ -107,6 +107,11 @@
 # Logs queries sent to OpenSearch. Requires logging.verbose set to true.
 #opensearch.logQueries: false
 
+# Disables errors from the OpenSearch JS client and enables you to utilize protected words such as: 'boolean', 'proto', 'constructor'.
+# within cluster. By default, OpenSearch Dashboards and the client will protect you against prototype poisoning attacks.
+# WARNING: Index patterns are user-supplied data. Disabling this will place the expectation that you are handling the data safely.
+#opensearch.disablePrototypePoisoningProtection: false
+
 # Specifies the path where OpenSearch Dashboards creates the process ID file.
 #pid.file: /var/run/opensearchDashboards.pid
 

package.json

@@ -91,7 +91,6 @@
     "**/loader-utils": "^2.0.4",
     "**/node-jose": "^2.1.0",
     "**/nth-check": "^2.0.1",
-    "**/qs": "^6.10.3",
     "**/trim": "^0.0.3",
     "**/typescript": "4.0.2",
     "**/unset-value": "^2.0.1",
@@ -197,7 +196,7 @@
     "pegjs": "0.10.0",
     "proxy-from-env": "1.0.0",
     "query-string": "^6.13.2",
-    "re2": "^1.15.4",
+    "re2": "1.17.4",
     "react": "^16.14.0",
     "react-dom": "^16.12.0",
     "react-input-range": "^1.3.0",
@@ -320,7 +319,7 @@
     "@types/sinon": "^7.0.13",
     "@types/strip-ansi": "^5.2.1",
     "@types/styled-components": "^5.1.19",
-    "@types/supertest": "^2.0.11",
+    "@types/supertest": "^2.0.12",
     "@types/supertest-as-promised": "^2.0.38",
     "@types/tapable": "^1.0.6",
     "@types/tar": "^4.0.3",
@@ -441,12 +440,12 @@
     "reselect": "^4.0.0",
     "resize-observer-polyfill": "^1.5.1",
     "selenium-webdriver": "^4.0.0-alpha.7",
-    "simple-git": "^3.15.0",
+    "simple-git": "^3.16.0",
     "sinon": "^7.4.2",
     "strip-ansi": "^6.0.0",
     "stylelint": "^14.5.2",
     "stylelint-config-standard-scss": "^3.0.0",
-    "supertest": "^6.2.2",
+    "supertest": "^6.3.3",
     "supertest-as-promised": "^4.0.2",
     "tape": "^5.0.1",
     "topojson-client": "3.0.0",

packages/osd-opensearch/package.json

@@ -22,7 +22,7 @@
     "getopts": "^2.2.5",
     "glob": "^7.1.7",
     "node-fetch": "^2.6.7",
-    "simple-git": "^3.15.0",
+    "simple-git": "^3.16.0",
     "tar-fs": "^2.1.0",
     "tree-kill": "^1.2.2",
     "yauzl": "^2.10.0"

src/core/server/opensearch/client/client_config.test.ts

@@ -184,6 +184,24 @@ describe('parseClientOptions', () => {
               ]
           `);
     });
+
+    it('`disablePrototypePoisoningProtection` option', () => {
+      expect(
+        parseClientOptions(createConfig({ disablePrototypePoisoningProtection: false }), false)
+          .disablePrototypePoisoningProtection
+      ).toEqual(false);
+      expect(
+        parseClientOptions(createConfig({ disablePrototypePoisoningProtection: true }), false)
+          .disablePrototypePoisoningProtection
+      ).toEqual(true);
+
+      expect(
+        parseClientOptions(createConfig({}), false).disablePrototypePoisoningProtection
+      ).toBeUndefined();
+      expect(
+        parseClientOptions(createConfig({}), true).disablePrototypePoisoningProtection
+      ).toBeUndefined();
+    });
   });
 
   describe('authorization', () => {

src/core/server/opensearch/client/client_config.ts

@@ -52,6 +52,7 @@ export type OpenSearchClientConfig = Pick<
   | 'hosts'
   | 'username'
   | 'password'
+  | 'disablePrototypePoisoningProtection'
 > & {
   memoryCircuitBreaker?:
     | OpenSearchConfig['memoryCircuitBreaker']
@@ -115,6 +116,10 @@ export function parseClientOptions(config: OpenSearchClientConfig, scoped: boole
     );
   }
 
+  if (config.disablePrototypePoisoningProtection != null) {
+    clientOptions.disablePrototypePoisoningProtection = config.disablePrototypePoisoningProtection;
+  }
+
   return clientOptions;
 }
 

src/core/server/opensearch/opensearch_config.test.ts

@@ -72,6 +72,7 @@ test('set correct defaults', () => {
     OpenSearchConfig {
       "apiVersion": "7.x",
       "customHeaders": Object {},
+      "disablePrototypePoisoningProtection": undefined,
       "healthCheckDelay": "PT2.5S",
       "hosts": Array [
         "http://localhost:9200",

src/core/server/opensearch/opensearch_config.ts

@@ -142,6 +142,7 @@ export const configSchema = schema.object({
     }),
     schema.boolean({ defaultValue: false })
   ),
+  disablePrototypePoisoningProtection: schema.maybe(schema.boolean({ defaultValue: false })),
 });
 
 const deprecations: ConfigDeprecationProvider = ({ renameFromRoot, renameFromRootWithoutMap }) => [
@@ -318,6 +319,12 @@ export class OpenSearchConfig {
    */
   public readonly customHeaders: OpenSearchConfigType['customHeaders'];
 
+  /**
+   * Specifies whether the client should attempt to protect against reserved words
+   * or not.
+   */
+  public readonly disablePrototypePoisoningProtection?: boolean;
+
   constructor(rawConfig: OpenSearchConfigType) {
     this.ignoreVersionMismatch = rawConfig.ignoreVersionMismatch;
     this.apiVersion = rawConfig.apiVersion;
@@ -338,6 +345,7 @@ export class OpenSearchConfig {
     this.username = rawConfig.username;
     this.password = rawConfig.password;
     this.customHeaders = rawConfig.customHeaders;
+    this.disablePrototypePoisoningProtection = rawConfig.disablePrototypePoisoningProtection;
 
     const { alwaysPresentCertificate, verificationMode } = rawConfig.ssl;
     const { key, keyPassphrase, certificate, certificateAuthorities } = readKeyAndCerts(rawConfig);

src/dev/build/tasks/os_packages/docker_generator/resources/bin/opensearch-dashboards-docker

@@ -50,6 +50,7 @@ opensearch_dashboards_vars=(
     opensearch.ssl.truststore.password
     opensearch.ssl.verificationMode
     opensearch.username
+    opensearch.disablePrototypePoisoningProtection
     i18n.locale
     interpreter.enableInVisualize
     opensearchDashboards.autocompleteTerminateAfter

src/dev/build/tasks/patch_native_modules_task.test.ts

@@ -67,8 +67,8 @@ it('patch native modules task downloads the correct platform package', async ()
           "destination": <absolute path>/.native_modules/re2/linux-arm64-83.tar.gz,
           "log": <ToolingLog>,
           "retries": 3,
-          "sha256": "f25124adc64d269a513b99abd4a5eed8d7a929db565207f8ece1f3b7b7931668",
-          "url": "https://d1v1sj258etie.cloudfront.net/node-re2/releases/download/1.15.4/linux-arm64-83.tar.gz",
+          "sha256": "d86ced75b794fbf518b90908847b3c09a50f3ff5a2815aa30f53080f926a2873",
+          "url": "https://d1v1sj258etie.cloudfront.net/node-re2/releases/download/1.17.4/linux-arm64-83.tar.gz",
         },
       ],
     ]

src/dev/build/tasks/patch_native_modules_task.ts

@@ -52,31 +52,42 @@ interface Package {
   >;
 }
 
+// Process for updating urls and checksums after bumping the version of `re2`:
+// 1. Match `version` with the version in the yarn.lock file.
+// 2. Update the url to match the version.
+//    2a. If a Node.js update occurs, the node module version must match as
+//        well (i.e. '83'). See https://nodejs.org/en/download/releases/#ref-1.
+// 3. Generate the new checksum by executing the following commands:
+//    3a. `wget {url}`
+//    3b. `sha256sum {downloaded file name}`
+//    3c. For `linux-arm64`, the sha256 can also be found by replacing
+//        "linux-arm64-83.tar.gz" in the url with "sha256sum.txt.asc"
+//        and copying the sha256 from that file.
 const packages: Package[] = [
   {
     name: 're2',
-    version: '1.15.4',
+    version: '1.17.4',
     destinationPath: 'node_modules/re2/build/Release/re2.node',
     extractMethod: 'gunzip',
     archives: {
       'darwin-x64': {
-        url: 'https://github.com/uhop/node-re2/releases/download/1.15.4/darwin-x64-83.gz',
-        sha256: 'b45cd8296fd6eb2a091399c20111af43093ba30c99ed9e5d969278f5ff69ba8f',
+        url: 'https://github.com/uhop/node-re2/releases/download/1.17.4/darwin-x64-83.gz',
+        sha256: '9112ed93c1544ecc6397f7ff20bd2b28f3b04c7fbb54024e10f9a376a132a87d',
       },
       'linux-x64': {
-        url: 'https://github.com/uhop/node-re2/releases/download/1.15.4/linux-x64-83.gz',
-        sha256: '1bbc3f90f0ba105772b37c04e3a718f69544b4df01dda00435c2b8e50b2ad0d9',
+        url: 'https://github.com/uhop/node-re2/releases/download/1.17.4/linux-x64-83.gz',
+        sha256: '86e03540783a18c41f81df0aec320b1f64aca6cbd3a87fc1b7a9b4109c5f5986',
       },
       'linux-arm64': {
         url:
-          'https://d1v1sj258etie.cloudfront.net/node-re2/releases/download/1.15.4/linux-arm64-83.tar.gz',
-        sha256: 'f25124adc64d269a513b99abd4a5eed8d7a929db565207f8ece1f3b7b7931668',
+          'https://d1v1sj258etie.cloudfront.net/node-re2/releases/download/1.17.4/linux-arm64-83.tar.gz',
+        sha256: 'd86ced75b794fbf518b90908847b3c09a50f3ff5a2815aa30f53080f926a2873',
         overriddenExtractMethod: 'untar',
         overriddenDestinationPath: 'node_modules/re2/build/Release',
       },
       'win32-x64': {
-        url: 'https://github.com/uhop/node-re2/releases/download/1.15.4/win32-x64-83.gz',
-        sha256: 'efe939d3cda1d64ee3ee3e60a20613b95166d55632e702c670763ea7e69fca06',
+        url: 'https://github.com/uhop/node-re2/releases/download/1.17.4/win32-x64-83.gz',
+        sha256: '2f842d9757288afd4bd5dec0e7b370a4c3e89ac98050598b17abb9e8e00e3294',
       },
     },
   },