habsi/elasticsearch-js
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Backport 8.16] Respect disablePrototypePoisoningProtection option (#2395)

Browse Source 
Co-authored-by: Josh Mock <joshua.mock@elastic.co>
This commit is contained in:
github-actions[bot]
2024-10-22 15:03:23 -05:00
committed by GitHub
parent 9947b0e365
commit 586c42161d
4 changed files with 83 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/basic-config.asciidoc
View File

@ -252,8 +252,8 @@ const client = new Client({
---- ----
|`disablePrototypePoisoningProtection` |`disablePrototypePoisoningProtection`
|`boolean`, `'proto'`, `'constructor'` - By the default the client will protect you against prototype poisoning attacks. Read https://web.archive.org/web/20200319091159/https://hueniverse.com/square-brackets-are-the-enemy-ff5b9fd8a3e8?gi=184a27ee2a08[this article] to learn more. If needed you can disable prototype poisoning protection entirely or one of the two checks. Read the `secure-json-parse` https://github.com/fastify/secure-json-parse[documentation] to learn more. + |`boolean`, `'proto'`, `'constructor'` - The client can protect you against prototype poisoning attacks. Read https://web.archive.org/web/20200319091159/https://hueniverse.com/square-brackets-are-the-enemy-ff5b9fd8a3e8?gi=184a27ee2a08[this article] to learn more about this security concern. If needed, you can enable prototype poisoning protection entirely (`false`) or one of the two checks (`'proto'` or `'constructor'`). For performance reasons, it is disabled by default. Read the `secure-json-parse` https://github.com/fastify/secure-json-parse[documentation] to learn more. +
_Default:_ `false` _Default:_ `true`
|`caFingerprint` |`caFingerprint`
|`string` - If configured, verify that the fingerprint of the CA certificate that has signed the certificate of the server matches the supplied fingerprint. Only accepts SHA256 digest fingerprints. + |`string` - If configured, verify that the fingerprint of the CA certificate that has signed the certificate of the server matches the supplied fingerprint. Only accepts SHA256 digest fingerprints. +

20
docs/changelog.asciidoc
View File

@ -1,6 +1,26 @@
[[changelog-client]] [[changelog-client]]
== Release notes == Release notes
[discrete]
=== 8.16.0
[discrete]
==== Features
[discrete]
===== Support for Elasticsearch `v8.16`
You can find all the API changes
https://www.elastic.co/guide/en/elasticsearch/reference/8.16/release-notes-8.16.0.html[here].
[discrete]
==== Fixes
[discrete]
===== Pass prototype poisoning options to serializer correctly
The client's `disablePrototypePoisoningProtection` option was set to `true` by default, but when it was set to any other value it was ignored, making it impossible to enable prototype poisoning protection without providing a custom serializer implementation.
[discrete] [discrete]
=== 8.15.1 === 8.15.1

16
src/client.ts
View File

@ -228,7 +228,21 @@ export default class Client extends API {
this.diagnostic = opts[kChild].diagnostic this.diagnostic = opts[kChild].diagnostic
} else { } else {
this.diagnostic = new Diagnostic() this.diagnostic = new Diagnostic()
this.serializer = new options.Serializer()
let serializerOptions
if (opts.disablePrototypePoisoningProtection != null) {
if (typeof opts.disablePrototypePoisoningProtection === 'boolean') {
serializerOptions = {
enablePrototypePoisoningProtection: !opts.disablePrototypePoisoningProtection
}
} else {
serializerOptions = {
enablePrototypePoisoningProtection: opts.disablePrototypePoisoningProtection
}
}
}
this.serializer = new options.Serializer(serializerOptions)
this.connectionPool = new options.ConnectionPool({ this.connectionPool = new options.ConnectionPool({
pingTimeout: options.pingTimeout, pingTimeout: options.pingTimeout,
resurrectStrategy: options.resurrectStrategy, resurrectStrategy: options.resurrectStrategy,

46
test/unit/client.test.ts
View File

@ -482,3 +482,49 @@ test('Ensure new client does not time out at default (30s) when client sets requ
t.end() t.end()
} }
}) })
test('Pass disablePrototypePoisoningProtection option to serializer', async t => {
let client = new Client({
node: 'http://localhost:9200',
disablePrototypePoisoningProtection: false
})
t.same(client.serializer[symbols.kJsonOptions], {
protoAction: 'error',
constructorAction: 'error'
})
client = new Client({
node: 'http://localhost:9200',
disablePrototypePoisoningProtection: true
})
t.same(client.serializer[symbols.kJsonOptions], {
protoAction: 'ignore',
constructorAction: 'ignore'
})
client = new Client({
node: 'http://localhost:9200',
disablePrototypePoisoningProtection: 'proto'
})
t.same(client.serializer[symbols.kJsonOptions], {
protoAction: 'error',
constructorAction: 'ignore'
})
client = new Client({
node: 'http://localhost:9200',
disablePrototypePoisoningProtection: 'constructor'
})
t.same(client.serializer[symbols.kJsonOptions], {
protoAction: 'ignore',
constructorAction: 'error'
})
})
test('disablePrototypePoisoningProtection is true by default', async t => {
const client = new Client({ node: 'http://localhost:9200' })
t.same(client.serializer[symbols.kJsonOptions], {
protoAction: 'ignore',
constructorAction: 'ignore'
})
})