elastic · elena-shostak · Nov 24, 2025
@@ -2181,6 +2181,39 @@ module.exports = {
         '@kbn/eslint/scout_no_describe_configure': 'error',
       },
     },
+    {
+      // Restrict fs imports in production code (exclude test files, scripts, etc.)
+      files: [
+        'src/platform/plugins/shared/**/*.ts',
+        'x-pack/solutions/**/*.ts',
+        'x-pack/plugins/**/*.ts',
+      ],
+      excludedFiles: [
+        '**/*.{test,spec}.ts',
+        '**/*.test.ts',
+        '**/test/**',
+        '**/tests/**',
+        '**/__tests__/**',
+        '**/scripts/**',
+        '**/e2e/**',
+        '**/cypress/**',
+        '**/ftr_e2e/**',
+        '**/.storybook/**',
+        '**/json_schemas/**',
+        // Can use fs for telemetry collection
+        'src/platform/plugins/shared/telemetry/**',
+      ],
+      rules: {
+        '@kbn/eslint/require_kbn_fs': [
+          'warn',
+          {
+            restrictedMethods: ['writeFile', 'writeFileSync', 'createWriteStream'],
+            disallowedMessage:
+              'Use `@kbn/fs` for file write operations instead of direct `fs` in production code',
+          },
+        ],
+      },
+    },
   ],
 };
 

@@ -818,6 +818,7 @@ x-pack/platform/packages/shared/kbn-entities-schema @elastic/obs-entities
 x-pack/platform/packages/shared/kbn-event-stacktrace @elastic/obs-ux-infra_services-team @elastic/obs-ux-logs-team
 x-pack/platform/packages/shared/kbn-inference-endpoint-ui-common @elastic/response-ops @elastic/appex-ai-infra @elastic/obs-ai-assistant @elastic/security-generative-ai
 x-pack/platform/packages/shared/kbn-key-value-metadata-table @elastic/obs-ux-infra_services-team @elastic/obs-ux-logs-team
+x-pack/platform/packages/shared/kbn-fs @elastic/kibana-security
 x-pack/platform/packages/shared/kbn-langchain @elastic/security-generative-ai
 x-pack/platform/packages/shared/kbn-slo-schema @elastic/obs-ux-management-team
 x-pack/platform/packages/shared/logs-overview @elastic/obs-ux-logs-team

@@ -550,6 +550,7 @@
     "@kbn/fleet-plugin": "link:x-pack/platform/plugins/shared/fleet",
     "@kbn/flot-charts": "link:src/platform/packages/shared/kbn-flot-charts",
     "@kbn/foo-plugin": "link:x-pack/test/ui_capabilities/common/plugins/foo_plugin",
+    "@kbn/fs": "link:x-pack/platform/packages/shared/kbn-fs",
     "@kbn/ftr-apis-plugin": "link:src/platform/plugins/private/ftr_apis",
     "@kbn/functional-with-es-ssl-cases-test-plugin": "link:x-pack/test/functional_with_es_ssl/plugins/cases",
     "@kbn/gen-ai-streaming-response-example-plugin": "link:x-pack/examples/gen_ai_streaming_response_example",
@@ -1124,6 +1125,7 @@
     "deepmerge": "^4.3.1",
     "del": "^6.1.0",
     "diff": "^8.0.2",
+    "dompurify": "^3.3.0",
     "dotenv": "^16.4.5",
     "elastic-apm-node": "^4.13.0",
     "email-addresses": "^5.0.0",
@@ -1164,6 +1166,7 @@
     "js-search": "^1.4.3",
     "js-sha256": "^0.11.0",
     "js-yaml": "^4.1.0",
+    "jsdom": "^20.0.1",
     "json-schema-to-ts": "^3.1.1",
     "json-stable-stringify": "^1.0.1",
     "json-stringify-pretty-compact": "1.2.0",
@@ -1178,6 +1181,7 @@
     "lodash": "^4.17.21",
     "lru-cache": "^11.2.1",
     "lz-string": "^1.5.0",
+    "magic-bytes.js": "^1.12.1",
     "mapbox-gl-draw-rectangle-mode": "1.0.4",
     "maplibre-gl": "3.1.0",
     "markdown-it": "^14.1.0",
@@ -1774,7 +1778,6 @@
     "jest-snapshot": "^29.7.0",
     "jest-specific-snapshot": "^8.0.0",
     "jest-styled-components": "7.0.3",
-    "jsdom": "^20.0.1",
     "json-schema-typed": "^8.0.1",
     "json5": "^2.2.3",
     "license-checker": "^25.0.1",

@@ -23,5 +23,6 @@ module.exports = {
     no_deprecated_authz_config: require('./rules/no_deprecated_authz_config'),
     require_kibana_feature_privileges_naming: require('./rules/require_kibana_feature_privileges_naming'),
     scout_no_describe_configure: require('./rules/scout_no_describe_configure'),
+    require_kbn_fs: require('./rules/require_kbn_fs'),
   },
 };
@@ -0,0 +1,151 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+const DEFAULT_ERROR_MSG = 'Use `@kbn/fs` instead of direct `fs` imports';
+const DEFAULT_RESTRICTED_METHODS = ['writeFile', 'writeFileSync', 'createWriteStream'];
+
+module.exports = {
+  meta: {
+    type: 'problem',
+    docs: {
+      description: 'Enforce usage of @kbn/fs instead of direct fs imports',
+      category: 'Best Practices',
+      recommended: true,
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          restrictedMethods: {
+            type: 'array',
+            items: { type: 'string' },
+            description: 'List of fs methods to restrict. If empty, all methods are restricted.',
+          },
+          disallowedMessage: {
+            type: 'string',
+            description: 'Custom error message',
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+  create: (context) => {
+    const {
+      restrictedMethods = DEFAULT_RESTRICTED_METHODS,
+      disallowedMessage = DEFAULT_ERROR_MSG,
+    } = context.options[0] || {};
+    const restrictAll = restrictedMethods.length === 0;
+
+    // Track variables imported from fs modules (default/namespace imports)
+    const fsImportedVars = new Set();
+
+    const isRestrictedMethod = (methodName) => {
+      return restrictAll || restrictedMethods.includes(methodName);
+    };
+
+    const checkImportSpecifiers = (node) => {
+      if (!node.specifiers || node.specifiers.length === 0) {
+        return false;
+      }
+
+      // Check named imports: import { writeFile } from 'fs'
+      return node.specifiers.some((spec) => {
+        if (spec.type === 'ImportSpecifier') {
+          return isRestrictedMethod(spec.imported.name);
+        }
+        // ImportDefaultSpecifier or ImportNamespaceSpecifier - don't restrict
+        // as they might only use read operations
+        return false;
+      });
+    };
+
+    const isFsModule = (modulePath) => {
+      return (
+        modulePath === 'fs' ||
+        modulePath === 'fs/promises' ||
+        modulePath === 'node:fs' ||
+        modulePath === 'node:fs/promises'
+      );
+    };
+
+    return {
+      ImportDeclaration(node) {
+        const modulePath = node.source.value;
+        if (isFsModule(modulePath)) {
+          // Track default and namespace imports for method call detection
+          if (node.specifiers) {
+            for (const spec of node.specifiers) {
+              if (
+                spec.type === 'ImportDefaultSpecifier' ||
+                spec.type === 'ImportNamespaceSpecifier'
+              ) {
+                const varName = spec.local?.name;
+                if (varName) {
+                  fsImportedVars.add(varName);
+                }
+              }
+            }
+          }
+
+          // Check named imports for immediate restriction
+          if (checkImportSpecifiers(node)) {
+            context.report({
+              node,
+              message: disallowedMessage,
+            });
+          }
+        }
+      },
+      CallExpression(node) {
+        const { callee } = node;
+
+        if (callee.type === 'MemberExpression') {
+          const objectName = callee.object.name;
+          const propertyName = callee.property?.name;
+
+          // Check method calls on fs directly: fs.writeFile()
+          if (objectName === 'fs' && propertyName && isRestrictedMethod(propertyName)) {
+            return context.report({
+              node,
+              message: disallowedMessage,
+            });
+          }
+
+          // Check method calls on fs.promises: fs.promises.writeFile()
+          if (
+            callee.object.type === 'MemberExpression' &&
+            callee.object.object?.name === 'fs' &&
+            callee.object.property?.name === 'promises' &&
+            propertyName &&
+            isRestrictedMethod(propertyName)
+          ) {
+            return context.report({
+              node,
+              message: disallowedMessage,
+            });
+          }
+
+          // Check method calls on imported fs variables: promises.writeFile()
+          if (
+            objectName &&
+            fsImportedVars.has(objectName) &&
+            propertyName &&
+            isRestrictedMethod(propertyName)
+          ) {
+            return context.report({
+              node,
+              message: disallowedMessage,
+            });
+          }
+        }
+      },
+    };
+  },
+};