Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY_SOLUTION][ENDPOINT] Create Trusted Apps API changes to process user input #78079

Merged
merged 8 commits into from
Sep 22, 2020
Merged

[SECURITY_SOLUTION][ENDPOINT] Create Trusted Apps API changes to process user input #78079

merged 8 commits into from
Sep 22, 2020

Conversation

paul-tavares
Copy link
Contributor

Summary

When creating a new trusted app entry, the API will now process the user input data and perform the following:

  • trim values for Trusted App name, as well as condition's (both path and hash) value
  • For a hash condition - ensure its value stored in lowercase
  • Ensure that when storing the new trusted app entry, an appropriate hash field (md5, sha1 or sha256) is used based on the value entered

As a result of the above changes, the GET Trusted Apps List API was also updated to ensure that entries for hash have their field name adjusted back to process.hash.*

A change was also made to the process.path condition field to use process.path.text as the name, which will cause the Endpoint artifact to be generated with "type:: "exact_caseless"

Example of a generated Window Artifact:

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "field": "process.path",
          "operator": "included",
          "type": "exact_caseless",
          "value": "c:\\program files\\program1\\something.exe"
        }
      ]
    },
    {
      "type": "simple",
      "entries": [
        {
          "field": "process.hash.sha256",
          "operator": "included",
          "type": "exact_cased",
          "value": "a4370c0cf81686c0b696fa6261c9d3e0d810ae704ab8301839dffd5d5112f476"
        }
      ]
    },
    {
      "type": "simple",
      "entries": [
        {
          "field": "process.hash.sha1",
          "operator": "included",
          "type": "exact_cased",
          "value": "aedb279e378bed6c2db3c9dc9e12ba635e0b391c"
        }
      ]
    },
    {
      "type": "simple",
      "entries": [
        {
          "field": "process.hash.md5",
          "operator": "included",
          "type": "exact_cased",
          "value": "741462ab431a22233c787baab9b653c7"
        }
      ]
    }
  ]
}

Checklist

@paul-tavares paul-tavares added v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Team:Endpoint Management Feature:Endpoint Elastic Endpoint feature v7.10.0 labels Sep 21, 2020
@paul-tavares paul-tavares requested review from a team as code owners September 21, 2020 20:06
@paul-tavares paul-tavares self-assigned this Sep 21, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/endpoint-management (Team:Endpoint Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/endpoint-app-team (Feature:Endpoint)

kevinlog
kevinlog reviewed Sep 21, 2020
View reviewed changes
x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/utils.ts
return {
_tags: tagsListFromOs(os),
comments: [],
description,
entries,
// @ts-ignore
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the error here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kevinlog ,
It has to do with the fact that entries in Trusted Apps is an Array of different types base on the outer value for os and in order to get around it, we would have to do (needless) runtime castings using type guards. In this instance, i think it's ok to ignore it, but open to suggestions.

Error is:
image

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Build metrics

async chunks size

id value diff baseline
securitySolution 10.1MB +10.0B 10.1MB

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

parkiino
parkiino reviewed Sep 22, 2020
View reviewed changes
x-pack/plugins/security_solution/server/endpoint/routes/trusted_apps/trusted_apps.test.ts
@@ -138,24 +232,26 @@ describe('when invoking endpoint trusted apps route handlers', () => {

describe('when creating a trusted app', () => {
let routeHandler: RequestHandler<undefined, PostTrustedAppCreateRequest>;
const createNewTrustedAppBody = (): PostTrustedAppCreateRequest => ({
const createNewTrustedAppBody = (): {
-readonly [k in keyof PostTrustedAppCreateRequest]: PostTrustedAppCreateRequest[k];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what does this syntax mean?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It makes the object "own keys" mutable (you can mutate them). Its short of writing a Mutable<> generic interface (to undo what our Immutable<> generic does :)

@paul-tavares paul-tavares merged commit e8f3529 into elastic:master Sep 22, 2020
@paul-tavares paul-tavares deleted the task/emt-268-trusted-apps-data-conversion-for-artifact branch September 22, 2020 20:17
@paul-tavares paul-tavares mentioned this pull request Sep 22, 2020
Merged
paul-tavares added a commit to paul-tavares/kibana that referenced this pull request Sep 22, 2020
@paul-tavares
[SECURITY_SOLUTION][ENDPOINT] Create Trusted Apps API changes to proc…
fbd3850 
…ess user input (elastic#78079)

* Convert new trusted app data to expected format for artifact
* Renamed condition field `process.path` to `process.path.text`
* determine hash type based on length of hash value
* Convert `process.hash.[sha1|md5|sha256]` to `process.hash.*` for return on list api
* Add test for conversion of ExceptionItem to TrustedApp Item
paul-tavares added a commit that referenced this pull request Sep 23, 2020
@paul-tavares
[SECURITY_SOLUTION][ENDPOINT] Create Trusted Apps API changes to proc…
8a5a592 
…ess user input (#78079) (#78211)

* Convert new trusted app data to expected format for artifact
* Renamed condition field `process.path` to `process.path.text`
* determine hash type based on length of hash value
* Convert `process.hash.[sha1|md5|sha256]` to `process.hash.*` for return on list api
* Add test for conversion of ExceptionItem to TrustedApp Item
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevinlog kevinlog kevinlog approved these changes

@parkiino parkiino parkiino approved these changes

Assignees

@paul-tavares paul-tavares

Labels
Feature:Endpoint Elastic Endpoint feature release_note:skip Skip the PR/issue when compiling release notes v7.10.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@paul-tavares @elasticmachine @kibanamachine @kevinlog @parkiino