[Reporting]: Check if CSV cells (including headers) start with known formula characters #37930
Conversation
| interface IFlattened { | ||
| [header: string]: string; | ||
| } | ||
|
|
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
💚 Build Succeeded |
💚 Build Succeeded |
joelgriffith
changed the title
There was a problem hiding this comment.
for some reason this doesn't work, but I'm sure, it's me. generated a CSV without warning:
"=1","_id","_index","_score","_type","test.test",test4
"=323223",1,csv,0,"_doc",,
,2,csv,0,"_doc","=323",
,3,csv,0,"_doc","=323",
,4,csv,0,"_doc","=SUM323",
,5,csv,0,"_doc",,"+ 32SUM323"
Example Payload:
PUT csv/_doc/2
{
"=2":{"=323223": "?323"}
}
PUT csv/_doc/4
{
"test":{"test": "=SUM323"}
}
PUT csv/_doc/5
{
"test4":"=SUM323"
}
PUT csv/_doc/5
{
"test4":"+ 32SUM323"
}
BTW: When I tried to export a CSV from Discover, the link Report List didn't work (In chrome)
|
Good find! I did have it succeed on most of the stuff I threw at it. Let me check here. |
|
@kertal I'm able to get the warnings in the UI with your docs. What are you using to generate the CSV (Discover or API?). You might also have to start with a fresh ES instance since this does have index changes. |
|
Discover, not API. And I did not start a fresh ES instance. Guess that’s
why. but is this not upgradeable on the fly?
Joel Griffith <notifications@github.com> schrieb am Fr. 7. Juni 2019 um
20:28:
… @kertal <https://github.com/kertal> I'm able to get the warnings in the
UI with your docs. What are you using to generate the CSV (Discover or
API?). You might also have to start with a fresh ES instance since this
does have index changes.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#37930?email_source=notifications&email_token=AADRH2ZYFXPVA4DFEPLY5KLPZKSEZA5CNFSM4HSTTIGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXGUFJI#issuecomment-499991205>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AADRH2442XDU5TVKLXNOLTLPZKSEZANCNFSM4HSTTIGA>
.
|
|
It might be... I'm not sure how Kibana does these kinds of upgrades (I'll have to check) |
|
OK, so I've verified that the new mapping does get added when KBN starts up. However, the warning only applies to CSV's generated after the mapping has been updated. Here's what I did:
I think this is ready for one last pass @kertal, thanks again for the thoroughness! |
|
Reports are located Path should be |
💚 Build Succeeded |
|
Going to wait for @jakelandis to comment that this will work before we commit to it :) |
|
I'm testing this out and was curious if the following download link (bottom right from discover) should also carry the warning ? Also, pretty sure that this report does not contain formulas (it is the logs sample data built into kibana) and pretty sure this only started to show this message after I added a report that included data to trigger the warning. |
|
@jakelandis great point on the toast notification, I'll look to rectify that. The sample data for logs I think does contain a |
|
@joelgriffith, is the |
|
@joelgriffith - I am starting to look at implementing something similar in the Watcher email. After taking a closer look, it seems that we don't ever call the jobs/list api, rather we make the initial call to reporting API [1] and grab the URL for the final payload [2], then busy wait (poll) for the response to be a 200. Once we find a success we just pull the bytes and use that as the attachment. Is it possible to include the warnings as part the response body ? Perhaps "kb_reporting_warnings" : "comma separated list of messages" I realize that in prior conversations I asked for an array of objects. However, for a variety of reasons (happy to go into more detail if you care), I don't think I will be able to make use "code", and a flat list of string(s) is sufficient. I can make an additional call to get the warnings, but would love if I could just pull them from the response header of payload response [2]. example requests |
|
In addition to the above request to return the warning as part of the download response, could you return an abbreviated warning ? For example: Doesn't read very well in the context of an email's attachment. I was thinking the email attachment should read closer to In this case you would pass the string "CSV injection" back with the payload. @joshbressers - Can you provide some guidance here on how the email version of this should read ? |
|
@kobelb yes, some logs tend to start with @jakelandis I'll take a look at your comments tomorrow -- currently on support duty today but will follow up with details tomorrow. |
I think doing it in a header makes the most sense, otherwise the overall structure of the payload wouldn't work (since it's a CSV there's no other places to store meta-data). I think for programmatic usage a new header is a good idea, I'll see if we have a convention in Kibana for doing so. |
Interesting, I know at some point we talked about leaving these warnings "off" by default, and allowing users to opt-in to them. If this does end up being super common, perhaps we should consider this approach? |
|
OK, given our usage of this and the findings from it, I'm going to do the following:
Sound good? |
|
Sounds good to me! |
Which JSON payload ? For the final payload we consume
+1
+1 - ES will also have a config to disable/enable this. I will follow your lead on the default. |
Yeah -- not on the CSV payload itself, but the meta-data that comes from the GET on all reports (which is a JSON API). CSV API will have no changes. |
|
Ok folks -- I'm out all next week so I tried to get this as far as possible. My TODO's are still:
Other than that this is pretty much feature-complete. Headers are:
Let me know if it's easier to just detect their presence versus parsing out their values... |
joelgriffith
added
Feature:Reporting
💚 Build Succeeded |
|
@jakelandis let me know if there's anything you needed from this PR that I haven't covered. Going to get it up to speed and hopefully merge soon |
💚 Build Succeeded |
|
Config flag is now added, and is default to
This will have reporting not check for CSV formulas during report generation, which means we won't store meta-data related to CSV's having formulas or not when this flag is set to |
💚 Build Succeeded |
|
@jakelandis not sure if you've had time to look at this, but let me know when you're comfortable with it. |
…warn-csv-formulas
…warn-csv-formulas
💚 Build Succeeded |
…known formula characters (#37930) (#40081) * [Reporting]: Check if CSV cells (including headers) start with known formula characters (#37930) * Re-working csv injection issue into master * Config flag for checking if CSV's contain formulas * Fixing snapshots * Fixing bad merge conflict with get_document_payload
This commit introduces a Warning message to the emails generated by Watcher's reporting action. This change complements Kibana's CSV formula notifications (see elastic/kibana#37930). This is implemented by reading a header (kbn-csv-contains-formulas) provided by Kibana to notify to attach the Warning to the email. The wording of the warning is borrowed from Kibana's UI and may be overridden by a dynamic setting xpack.notification.reporting.warning.kbn-csv-contains-formulas.text. This warning is enabled by default, but may be disabled via a dynamic setting xpack.notification.reporting.warning.enabled.
…c#44460) This commit introduces a Warning message to the emails generated by Watcher's reporting action. This change complements Kibana's CSV formula notifications (see elastic/kibana#37930). This is implemented by reading a header (kbn-csv-contains-formulas) provided by Kibana to notify to attach the Warning to the email. The wording of the warning is borrowed from Kibana's UI and may be overridden by a dynamic setting xpack.notification.reporting.warning.kbn-csv-contains-formulas.text. This warning is enabled by default, but may be disabled via a dynamic setting xpack.notification.reporting.warning.enabled.
#45557) * Watcher add email warning if CSV attachment contains formulas (#44460) This commit introduces a Warning message to the emails generated by Watcher's reporting action. This change complements Kibana's CSV formula notifications (see elastic/kibana#37930). This is implemented by reading a header (kbn-csv-contains-formulas) provided by Kibana to notify to attach the Warning to the email. The wording of the warning is borrowed from Kibana's UI and may be overridden by a dynamic setting xpack.notification.reporting.warning.kbn-csv-contains-formulas.text. This warning is enabled by default, but may be disabled via a dynamic setting xpack.notification.reporting.warning.enabled.
Hover effect in reporting list
Toast notification with text
CSV Download button now warns when there's a potential formula involved in the output (=, -, +, and @ chars). See OWASP: https://www.owasp.org/index.php/CSV_Injection