Disallow code generation from strings#241162
Open
legrego wants to merge 4 commits into
Open
Conversation
legrego
force-pushed
the
disallow-code-generation-from-strings
branch
from
d6bc760 to
dbab79b
Compare
legrego
force-pushed
the
disallow-code-generation-from-strings
branch
from
7190f4d to
303cce5
Compare
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
legrego
force-pushed
the
disallow-code-generation-from-strings
branch
2 times, most recently
from
d58af55 to
8522553
Compare
legrego
force-pushed
the
disallow-code-generation-from-strings
branch
from
8522553 to
5d9e3f3
Compare
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
legrego
force-pushed
the
disallow-code-generation-from-strings
branch
4 times, most recently
from
6fcd115 to
ab1d9e4
Compare
legrego
force-pushed
the
disallow-code-generation-from-strings
branch
4 times, most recently
from
a8af6de to
7c967ce
Compare
legrego
added
Team:Security
legrego
force-pushed
the
disallow-code-generation-from-strings
branch
4 times, most recently
from
8b8b700 to
2142c93
Compare
Contributor
|
@legrego, it looks like you're updating the parameters for a rule type! Please review the guidelines for making additive changes to rule type parameters and determine if your changes require an intermediate release. |
legrego
force-pushed
the
disallow-code-generation-from-strings
branch
3 times, most recently
from
e2f3b5f to
58d230a
Compare
legrego
force-pushed
the
disallow-code-generation-from-strings
branch
3 times, most recently
from
7ec36ff to
4fbe88e
Compare
legrego
added a commit
that referenced
this pull request
May 28, 2026
## Summary Removes the `js-sha256` dependency in favor of native platform code. Cherry-picked from the work on #241162
legrego
force-pushed
the
disallow-code-generation-from-strings
branch
from
4fbe88e to
78faaf1
Compare
kibanamachine
added a commit
that referenced
this pull request
May 28, 2026
# Backport This will backport the following commits from `main` to `9.4`: - [Remove js-sha256 dependency (#271339)](#271339) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Larry Gregory","email":"larry.gregory@elastic.co"},"sourceCommit":{"committedDate":"2026-05-28T12:32:54Z","message":"Remove js-sha256 dependency (#271339)\n\n## Summary\n\nRemoves the `js-sha256` dependency in favor of native platform code.\n\nCherry-picked from the work on\nhttps://github.com//pull/241162","sha":"4da84e4e62251e2b133865b703ddc1a79766213b","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","backport:all-open","dependency-reduction","v9.5.0"],"title":"Remove js-sha256 dependency","number":271339,"url":"https://github.com/elastic/kibana/pull/271339","mergeCommit":{"message":"Remove js-sha256 dependency (#271339)\n\n## Summary\n\nRemoves the `js-sha256` dependency in favor of native platform code.\n\nCherry-picked from the work on\nhttps://github.com//pull/241162","sha":"4da84e4e62251e2b133865b703ddc1a79766213b"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/271339","number":271339,"mergeCommit":{"message":"Remove js-sha256 dependency (#271339)\n\n## Summary\n\nRemoves the `js-sha256` dependency in favor of native platform code.\n\nCherry-picked from the work on\nhttps://github.com//pull/241162","sha":"4da84e4e62251e2b133865b703ddc1a79766213b"}}]}] BACKPORT--> Co-authored-by: Larry Gregory <larry.gregory@elastic.co>
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
|
|
Pinging @elastic/kibana-security (Team:Security) |
tylersmalley
approved these changes
May 28, 2026
dej611
pushed a commit
to dej611/kibana
that referenced
this pull request
May 29, 2026
## Summary Removes the `js-sha256` dependency in favor of native platform code. Cherry-picked from the work on elastic#241162
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Optionally starts Kibana with
--disallow-code-generation-from-strings, which as you might guess, prevents Node.js from generating code from strings. This means in practice that language features such asevalandnew Functionwill throw an error when called, instead of generating executable code.The code changes here are minimal here so far, and that is due to a lot of prior work to reduce our attack surface.
Rollout
I am targeting a progressive, opt-in rollout. Local development and CI will always run with
--disable-code-generation-from-strings.The distributable will only run with
--disallow-code-generation-from-stringswhen theKBN_DISALLOW_CODE_GEN_FROM_STRINGSenvironment variable is set totrue. This will allow us to selectively enable within Elastic-managed environments, until such a time that we have enough confidence to enable this by default.