[User profiles] Strict user profile setting keys#241213
Merged
legrego merged 18 commits intoDec 4, 2025
Merged
Conversation
SiddharthMantri
added
Team:Security
Contributor
|
Pinging @elastic/kibana-security (Team:Security) |
Contributor
Author
|
@elasticmachine merge upstream |
SiddharthMantri
commented
Nov 7, 2025
Comment on lines
+78
to
+83
| // expect(() => bodySchema.validate(null)).toThrowErrorMatchingInlineSnapshot( | ||
| // `"expected a plain object value, but found [null] instead."` | ||
| // ); | ||
| // expect(() => bodySchema.validate(undefined)).toThrowErrorMatchingInlineSnapshot( | ||
| // `"expected value of type [object] but got [undefined]"` | ||
| // ); |
Contributor
Author
There was a problem hiding this comment.
Commenting these out as for some reason null and undefined are now accepted and the endpoint schema validation does not throw.
Contributor
There was a problem hiding this comment.
Should we remove these or uncomment?
Also how the route is supposed to react to such requests?
SiddharthMantri
commented
Nov 7, 2025
| solutionNavOptOut: schema.maybe(schema.boolean()), | ||
| }) | ||
| ), | ||
| }); |
Contributor
Author
There was a problem hiding this comment.
Related to https://github.com/elastic/kibana/pull/241213/files#r2503396102
We could add special validation logic here to disallow falsy values.
Contributor
Author
|
@elasticmachine merge upstream |
SiddharthMantri
commented
Nov 13, 2025
Comment on lines
+30
to
+33
| schema.object({ | ||
| initials: schema.nullable(schema.string({ maxLength: MAX_STRING_FIELD_LENGTH })), | ||
| color: schema.nullable(schema.string({ maxLength: MAX_STRING_FIELD_LENGTH })), | ||
| imageUrl: schema.nullable(schema.string()), |
Contributor
Author
There was a problem hiding this comment.
I've added some defaults for maxLength for these fields.
@azasypkin (tagging you since i saw you assigned to the review 😅) - I'm not sure how to approach restricting imageUrl length.
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
|
ACK: I'll review PR today |
azasypkin
approved these changes
Dec 2, 2025
Contributor
azasypkin
left a comment
azasypkin
left a comment
There was a problem hiding this comment.
LGTM, thanks! Just one question/suggestion.
Also, do we need to update this interface as well
?| 'solutionNavigationTour:completed', // TODO: remove with https://github.com/elastic/kibana/issues/239313 | ||
| ]; | ||
|
|
||
| const MAX_STRING_FIELD_LENGTH = 1024; |
Contributor
There was a problem hiding this comment.
question/suggestion: Is there any particular reason or use case why we want to support 1024 characters for initials and color instead of, let's say, 100? We can technically go even lower and align with the limits in UI, but I don't have a strong opinion.
If we have a user that has anything in the user profile that's larger than these limits, nothing would break except they'll have to obey the new limits if they decide to update the data, right?
Contributor
Author
There was a problem hiding this comment.
If we have a user that has anything in the user profile that's larger than these limits, nothing would break except they'll have to obey the new limits if they decide to update the data, right?
That's right. It shouldn't affect any existing data since it's just validation on save.
No particular reason for 1024. Matching the UI limits fromm the form field works for me too.
azasypkin
reviewed
Dec 2, 2025
| avatar: schema.maybe( | ||
| schema.object({ | ||
| initials: schema.nullable(schema.string({ maxLength: MAX_STRING_FIELD_LENGTH })), | ||
| color: schema.nullable(schema.string({ maxLength: MAX_STRING_FIELD_LENGTH })), |
Contributor
There was a problem hiding this comment.
note: not really related to this PR as it was like that before, just observation, it looks like we're too aggressive in enforcing a valid avatar color to a degree that one cannot even access their profile to fix the issue (just bypassed UI restriction via dev tools and saved invalid color) 🤦
Contributor
Author
There was a problem hiding this comment.
Interesting, i hadn't come across this. I'll create an issue for us to look into.
SiddharthMantri
added
the
backport:all-open
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
💚 Build Succeeded
Metrics [docs]
History
|
Contributor
|
Starting backport for target branches: 8.19, 9.1, 9.2 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 4, 2025
## Summary Adds strict schema validation to the user profile update API endpoint (/internal/security/user_profile/_data) to restrict the request body to just allowed fields. The PR also introduces some reasonable defaults for string length for colors and initials. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit 90fdc5f)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 4, 2025
## Summary Adds strict schema validation to the user profile update API endpoint (/internal/security/user_profile/_data) to restrict the request body to just allowed fields. The PR also introduces some reasonable defaults for string length for colors and initials. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit 90fdc5f)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 4, 2025
## Summary Adds strict schema validation to the user profile update API endpoint (/internal/security/user_profile/_data) to restrict the request body to just allowed fields. The PR also introduces some reasonable defaults for string length for colors and initials. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit 90fdc5f)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Dec 4, 2025
…5267) # Backport This will backport the following commits from `main` to `9.2`: - [[User profiles] Strict user profile setting keys (#241213)](#241213) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Sid","email":"siddharthmantri1@gmail.com"},"sourceCommit":{"committedDate":"2025-12-04T15:33:51Z","message":"[User profiles] Strict user profile setting keys (#241213)\n\n## Summary\n\nAdds strict schema validation to the user profile update API endpoint\n(/internal/security/user_profile/_data) to restrict the request body to\njust allowed fields.\n\nThe PR also introduces some reasonable defaults for string length for\ncolors and initials.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"90fdc5f8bbbb90640c08d531c3c52556ec324ec7","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","Feature:Security/User Profile","backport:all-open","v9.3.0"],"title":"[User profiles] Strict user profile setting keys","number":241213,"url":"https://github.com/elastic/kibana/pull/241213","mergeCommit":{"message":"[User profiles] Strict user profile setting keys (#241213)\n\n## Summary\n\nAdds strict schema validation to the user profile update API endpoint\n(/internal/security/user_profile/_data) to restrict the request body to\njust allowed fields.\n\nThe PR also introduces some reasonable defaults for string length for\ncolors and initials.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"90fdc5f8bbbb90640c08d531c3c52556ec324ec7"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/241213","number":241213,"mergeCommit":{"message":"[User profiles] Strict user profile setting keys (#241213)\n\n## Summary\n\nAdds strict schema validation to the user profile update API endpoint\n(/internal/security/user_profile/_data) to restrict the request body to\njust allowed fields.\n\nThe PR also introduces some reasonable defaults for string length for\ncolors and initials.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"90fdc5f8bbbb90640c08d531c3c52556ec324ec7"}}]}] BACKPORT--> Co-authored-by: Sid <siddharthmantri1@gmail.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
kibanamachine
added a commit
that referenced
this pull request
Dec 4, 2025
…5266) # Backport This will backport the following commits from `main` to `9.1`: - [[User profiles] Strict user profile setting keys (#241213)](#241213) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Sid","email":"siddharthmantri1@gmail.com"},"sourceCommit":{"committedDate":"2025-12-04T15:33:51Z","message":"[User profiles] Strict user profile setting keys (#241213)\n\n## Summary\n\nAdds strict schema validation to the user profile update API endpoint\n(/internal/security/user_profile/_data) to restrict the request body to\njust allowed fields.\n\nThe PR also introduces some reasonable defaults for string length for\ncolors and initials.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"90fdc5f8bbbb90640c08d531c3c52556ec324ec7","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","Feature:Security/User Profile","backport:all-open","v9.3.0"],"title":"[User profiles] Strict user profile setting keys","number":241213,"url":"https://github.com/elastic/kibana/pull/241213","mergeCommit":{"message":"[User profiles] Strict user profile setting keys (#241213)\n\n## Summary\n\nAdds strict schema validation to the user profile update API endpoint\n(/internal/security/user_profile/_data) to restrict the request body to\njust allowed fields.\n\nThe PR also introduces some reasonable defaults for string length for\ncolors and initials.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"90fdc5f8bbbb90640c08d531c3c52556ec324ec7"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/241213","number":241213,"mergeCommit":{"message":"[User profiles] Strict user profile setting keys (#241213)\n\n## Summary\n\nAdds strict schema validation to the user profile update API endpoint\n(/internal/security/user_profile/_data) to restrict the request body to\njust allowed fields.\n\nThe PR also introduces some reasonable defaults for string length for\ncolors and initials.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"90fdc5f8bbbb90640c08d531c3c52556ec324ec7"}}]}] BACKPORT--> Co-authored-by: Sid <siddharthmantri1@gmail.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
kibanamachine
added
v9.1.9
backport missing
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
kibanamachine
added a commit
that referenced
this pull request
Dec 5, 2025
…45265) # Backport This will backport the following commits from `main` to `8.19`: - [[User profiles] Strict user profile setting keys (#241213)](#241213) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Sid","email":"siddharthmantri1@gmail.com"},"sourceCommit":{"committedDate":"2025-12-04T15:33:51Z","message":"[User profiles] Strict user profile setting keys (#241213)\n\n## Summary\n\nAdds strict schema validation to the user profile update API endpoint\n(/internal/security/user_profile/_data) to restrict the request body to\njust allowed fields.\n\nThe PR also introduces some reasonable defaults for string length for\ncolors and initials.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"90fdc5f8bbbb90640c08d531c3c52556ec324ec7","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","Feature:Security/User Profile","backport:all-open","v9.3.0"],"title":"[User profiles] Strict user profile setting keys","number":241213,"url":"https://github.com/elastic/kibana/pull/241213","mergeCommit":{"message":"[User profiles] Strict user profile setting keys (#241213)\n\n## Summary\n\nAdds strict schema validation to the user profile update API endpoint\n(/internal/security/user_profile/_data) to restrict the request body to\njust allowed fields.\n\nThe PR also introduces some reasonable defaults for string length for\ncolors and initials.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"90fdc5f8bbbb90640c08d531c3c52556ec324ec7"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/241213","number":241213,"mergeCommit":{"message":"[User profiles] Strict user profile setting keys (#241213)\n\n## Summary\n\nAdds strict schema validation to the user profile update API endpoint\n(/internal/security/user_profile/_data) to restrict the request body to\njust allowed fields.\n\nThe PR also introduces some reasonable defaults for string length for\ncolors and initials.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"90fdc5f8bbbb90640c08d531c3c52556ec324ec7"}}]}] BACKPORT--> Co-authored-by: Sid <siddharthmantri1@gmail.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
kibanamachine
added
v8.19.9
and removed
backport missing
JordanSh
pushed a commit
to JordanSh/kibana
that referenced
this pull request
Dec 9, 2025
## Summary Adds strict schema validation to the user profile update API endpoint (/internal/security/user_profile/_data) to restrict the request body to just allowed fields. The PR also introduces some reasonable defaults for string length for colors and initials. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds strict schema validation to the user profile update API endpoint (/internal/security/user_profile/_data) to restrict the request body to just allowed fields.
The PR also introduces some reasonable defaults for string length for colors and initials.
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
release_note:*label is applied per the guidelines