[SOR] Protect search() method to prevent overriding top-level fields with runtime mappings (elastic#244927)

## Summary

Closes elastic/kibana-team#2227

The PR tweaks the SOR `search()` method to ignore any runtime mappings
that overlap with top-level _Saved Object_ properties.

Author: gsoldevila

src/core/packages/saved-objects/api-server-internal/src/lib/apis/search.ts

@@ -23,6 +23,7 @@ import type {
 import type { ApiExecutionContext } from './types';
 import { getNamespacesBoolFilter } from '../search';
 import type { NamespacesBoolFilter } from '../search/search_dsl/query_params';
+import { getRootFields } from '../utils';
 
 export interface PerformSearchParams {
   options: SavedObjectsSearchOptions;
@@ -63,6 +64,17 @@ export async function performSearch<T extends SavedObjectsRawDocSource, A = unkn
     );
   }
 
+  const rootFields = getRootFields();
+
+  const forbiddenRuntimeMappings = Object.keys(esOptions.runtime_mappings ?? {}).filter((key) =>
+    rootFields.includes(key)
+  );
+  if (forbiddenRuntimeMappings.length > 0) {
+    throw SavedObjectsErrorHelpers.createBadRequestError(
+      `'runtime_mappings' contains forbidden fields: ${forbiddenRuntimeMappings.join(', ')}`
+    );
+  }
+
   const types = castArray(type).filter((t) => allowedTypes.includes(t));
   if (types.length === 0) {
     return createEmptySearchResponse();

src/core/server/integration_tests/saved_objects/service/lib/search.test.ts

@@ -39,7 +39,7 @@ const registerTypes = (setup: InternalCoreSetup) => {
   setup.savedObjects.registerType({
     name: 'test-type',
     hidden: false,
-    namespaceType: 'single',
+    namespaceType: 'multiple',
     mappings: {
       dynamic: false,
       properties: {
@@ -161,4 +161,45 @@ describe('SOR - search API', () => {
     expect(documents.hits.total).toHaveProperty('value', 1);
     expect(documents.hits.hits).toHaveProperty('0._source.test-type.name', 'John Doe');
   });
+
+  it('should enforce namespace security with runtime field override attempt', async () => {
+    // Baseline: should return 5 documents from default namespace
+    const normalSearch = await savedObjectsRepository.search({
+      type: 'test-type',
+      namespaces: ['default'],
+      query: {
+        match_all: {},
+      },
+    });
+    expect(normalSearch.hits.total).toHaveProperty('value', 5);
+
+    // Baseline: should return 2 documents from namespaceA
+    const namespaceASearch = await savedObjectsRepository.search({
+      type: 'test-type',
+      namespaces: ['namespaceA'],
+      query: {
+        match_all: {},
+      },
+    });
+    expect(namespaceASearch.hits.total).toHaveProperty('value', 2);
+
+    // Attempt to override namespace filter using runtime mappings should throw an error
+    await expect(
+      savedObjectsRepository.search({
+        type: 'test-type',
+        namespaces: ['default'],
+        runtime_mappings: {
+          namespaces: {
+            type: 'keyword',
+            script: {
+              source: 'emit("default")', // Attempt to make all docs appear in 'default' namespace
+            },
+          },
+        },
+        query: {
+          match_all: {},
+        },
+      })
+    ).rejects.toThrow("'runtime_mappings' contains forbidden fields: namespaces");
+  });
 });