From 61c61738ce68f016fcc1bc78f5ca9a8188865d0d Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Thu, 27 Jan 2022 13:24:41 +0100 Subject: [PATCH 1/3] added docs for `xpack.reporting.csv.escapeFormulaValues` config and `xpack.reporting.csv.useByteOrderMarkEncoding`, and some minor auto-formatting --- docs/settings/reporting-settings.asciidoc | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/settings/reporting-settings.asciidoc b/docs/settings/reporting-settings.asciidoc index 9b5b5b37aa62d5..5705d6de7308d1 100644 --- a/docs/settings/reporting-settings.asciidoc +++ b/docs/settings/reporting-settings.asciidoc @@ -235,12 +235,18 @@ Number of documents retrieved from {es} for each scroll iteration during a CSV e Amount of {time-units}[time] allowed before {kib} cleans the scroll context during a CSV export. Defaults to `30s`. `xpack.reporting.csv.checkForFormulas`:: -Enables a check that warns you when there's a potential formula involved in the output (=, -, +, and @ chars). See OWASP: https://www.owasp.org/index.php/CSV_Injection. Defaults to `true`. +Enables a check that warns you when there's a potential formula included in the output (=, -, +, and @ chars). See OWASP: https://www.owasp.org/index.php/CSV_Injection. Defaults to `true`. -`xpack.reporting.csv` `.enablePanelActionDownload`:: +`xpack.reporting.csv.escapeFormulaValues`:: +Escape formula values in cells with a `'`. See OWASP: https://www.owasp.org/index.php/CSV_Injection. Defaults to `true`. + +`xpack.reporting.csv.enablePanelActionDownload`:: Enables CSV export from a saved search on a dashboard. This action is available in the dashboard panel menu for the saved search. NOTE: This setting exists for backwards compatibility, but is unused and hardcoded to `true`. CSV export from a saved search on a dashboard is enabled when Reporting is enabled. +`xpack.reporting.csv.useByteOrderMarkEncoding`:: +Adds a byte order mark (`\ufeff`) at the beginning of the CSV file. Defaults to `false`. + [float] [[reporting-advanced-settings]] ==== Security settings From b1f7306ca298c9eb538bde3573a481f7649eafb7 Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Thu, 27 Jan 2022 13:25:06 +0100 Subject: [PATCH 2/3] some more auto-formatting changes --- docs/settings/reporting-settings.asciidoc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/settings/reporting-settings.asciidoc b/docs/settings/reporting-settings.asciidoc index 5705d6de7308d1..3c1b86f7710645 100644 --- a/docs/settings/reporting-settings.asciidoc +++ b/docs/settings/reporting-settings.asciidoc @@ -97,10 +97,10 @@ NOTE: Running multiple instances of {kib} in a cluster for load balancing of reporting requires identical values for <> and, if security is enabled, <>. -`xpack.reporting.queue.pollInterval`:: +`xpack.reporting.queue.pollInterval`:: Specifies the {time-units}[time] that the reporting poller waits between polling the index for any pending Reporting jobs. Can be specified as number of milliseconds. Defaults to `3s`. -[[xpack-reporting-q-timeout]] `xpack.reporting.queue.timeout` {ess-icon}:: +[[xpack-reporting-q-timeout]] `xpack.reporting.queue.timeout` {ess-icon}:: {time-units}[How long] each worker has to produce a report. If your machine is slow or under heavy load, you might need to increase this timeout. If a Reporting job execution goes over this time limit, the job is marked as a failure and no download will be available. Can be specified as number of milliseconds. Defaults to `2m`. [float] @@ -109,7 +109,7 @@ Specifies the {time-units}[time] that the reporting poller waits between polling Reporting works by capturing screenshots from {kib}. The following settings control the capturing process. -`xpack.reporting.capture.timeouts.openUrl` {ess-icon}:: +`xpack.reporting.capture.timeouts.openUrl` {ess-icon}:: Specify the {time-units}[time] to allow the Reporting browser to wait for the "Loading..." screen to dismiss and find the initial data for the page. If the time is exceeded, a screenshot is captured showing the current page, and the download link shows a warning message. Can be specified as number of milliseconds. Defaults to `1m`. `xpack.reporting.capture.timeouts.waitForElements` {ess-icon}:: @@ -123,7 +123,7 @@ running a report job, Reporting will log the error and try to continue capturing the page with a screenshot. As a result, a download will be available, but there will likely be errors in the visualizations in the report. -`xpack.reporting.capture.maxAttempts` {ess-icon}:: +`xpack.reporting.capture.maxAttempts` {ess-icon}:: If capturing a report fails for any reason, {kib} will re-attempt other reporting job, as many times as this setting. Defaults to `3`. `xpack.reporting.capture.loadDelay`:: @@ -172,14 +172,14 @@ The rule objects are evaluated sequentially from the beginning to the end of the ------------------------------------------------------- # Only allow requests to placeholder.com xpack.reporting.capture.networkPolicy: - rules: [ { allow: true, host: "placeholder.com" } ] + rules: [ { allow: true, host: "placeholder.com" } ] ------------------------------------------------------- [source,yaml] ------------------------------------------------------- -# Only allow requests to https://placeholder.com +# Only allow requests to https://placeholder.com xpack.reporting.capture.networkPolicy: - rules: [ { allow: true, host: "placeholder.com", protocol: "https:" } ] + rules: [ { allow: true, host: "placeholder.com", protocol: "https:" } ] ------------------------------------------------------- A final `allow` rule with no host or protocol allows all requests that are not explicitly denied: From f40f38a2754a42ffe457e073297646e54bd87493 Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Thu, 27 Jan 2022 13:26:05 +0100 Subject: [PATCH 3/3] addded some documentation to CSV escape function --- src/plugins/data/common/exports/escape_value.ts | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/plugins/data/common/exports/escape_value.ts b/src/plugins/data/common/exports/escape_value.ts index 9277f792a4b864..393ce6043993a3 100644 --- a/src/plugins/data/common/exports/escape_value.ts +++ b/src/plugins/data/common/exports/escape_value.ts @@ -10,6 +10,17 @@ import { cellHasFormulas } from './formula_checks'; type RawValue = string | object | null | undefined; +/** + * Create a function that will escape CSV values like "=", "@" and "+" with a + * "'". This will also place CSV values in "" if contain non-alphanumeric chars. + * + * For example: + * + * Given: =1+1 + * Returns: "'=1+1" + * + * See OWASP: https://www.owasp.org/index.php/CSV_Injection. + */ export function createEscapeValue( quoteValues: boolean, escapeFormulas: boolean