[CodeQL] String length validation for API Routes (elastic#270485)

* Introduces a new CodeQL rule to alert on API routes that use either
`@kbn/config-schema` or `zod` in a way that allows for strings of
unbounded length. This is a companion to our existing CodeQL rule that
alerts on unbounded arrays.
* Introduces a [file exclusion
pattern](https://github.com/legrego/kibana/blob/87f43b9bc3bc1a78b718cbb845861de32e53c3e7/.github/codeql/custom-queries/dos/KibanaDoSExclusions.qll)
for both of our DoS CodeQL rules to allow us to more systematically omit
files from alerting on these findings, if it is clear that their usage
of these validation schemas is not for the purpose of API route
validation.

---------

Co-authored-by: Elena Shostak <165678770+elena-shostak@users.noreply.github.com>

Author: legrego

.github/codeql/custom-queries/dos/KibanaDoSExclusions.qll

@@ -0,0 +1,73 @@
+/**
+ * Shared predicates for excluding non-request-payload schema usages from
+ * Kibana DoS queries (unbounded strings, unbounded arrays, etc.).
+ *
+ * CONSERVATIVE POLICY: Only exclude file paths that NEVER contain HTTP request
+ * payload schemas. When in doubt, keep the finding — a false positive is far
+ * less costly than missing a real vulnerability.
+ *
+ * For one-off false positives in mixed-purpose files, use inline suppression:
+ *   // codeql[js/kibana/unbounded-string-in-schema] reason
+ *   // codeql[js/kibana/unbounded-array-in-schema] reason
+ *
+ * If a new file category consistently produces false positives, add a path
+ * pattern here rather than scattering per-line suppressions.
+ */
+
+import javascript
+
+/**
+ * Holds when `e` resides in a file whose schemas are known to never validate
+ * HTTP request payloads. These fall into structural/data-at-rest categories:
+ * plugin configuration, saved-object attributes, UI settings, content
+ * management layer schemas, sample-data registration, AI/LLM output schemas,
+ * and tooling config.
+ */
+predicate shouldExcludeFileFromDoSRules(Expr e) {
+  exists(string path | path = e.getFile().getRelativePath() |
+    // Plugin configuration (kibana.yml settings)
+    e.getFile().getBaseName() = "config.ts"
+    or
+    // Plugin server entry points (re-exports only)
+    (e.getFile().getBaseName() = "index.ts" and
+     path.regexpMatch(".*/plugins/[^/]+(/[^/]+)?/server/index\\.ts"))
+    or
+    // Saved-object attribute schemas (versioned shapes, never route payloads)
+    path.regexpMatch(".*/saved_objects/schemas/.*")
+    or
+    // Saved-object model-version migration schemas
+    path.regexpMatch(".*/saved_objects/model_versions/.*")
+    or
+    // Saved-object type sub-schemas (e.g. cases/server/saved_object_types/*/schemas/*)
+    path.regexpMatch(".*/saved_object_types/.*/schemas/.*")
+    or
+    // Dashboard saved-object attribute schemas
+    path.regexpMatch(".*/dashboard_saved_object/schema/.*")
+    or
+    // Content-management layer schemas (maps, lens, links CM CRUD)
+    path.regexpMatch(".*/content_management/schema/.*")
+    or
+    // UI-settings definitions (Advanced Settings value schemas)
+    e.getFile().getBaseName() = "ui_settings.ts"
+    or
+    path.regexpMatch(".*/ui_settings/.*")
+    or
+    // Sample-data registration schema (internal registration, not HTTP input)
+    path.regexpMatch(".*/sample_data/lib/sample_dataset_schema\\.ts")
+    or
+    // Connector-schema type-only files (no route handlers)
+    path.regexpMatch(".*/kbn-connector-schemas/.*/types/.*")
+    or
+    // LLM/AI structured-output schemas
+    path.regexpMatch(".*/compaction_schema\\.ts")
+    or
+    // Agent-builder tool parameter schemas (AI tool arguments, not HTTP routes)
+    path.regexpMatch(".*/agent_builder/tools/.*")
+    or
+    // Benchmark tooling config schemas
+    path.regexpMatch(".*/kbn-bench/.*")
+    or
+    // Scout test-environment config schemas
+    path.regexpMatch(".*/kbn-scout/.*/schema/.*")
+  )
+}

.github/codeql/custom-queries/dos/UnboundedArrayInRoute.md

@@ -11,7 +11,7 @@ An attacker could exploit unbounded array validation by sending extremely large
 - Application crashes due to out-of-memory conditions
 - Degraded performance affecting all users of the system
 
-The query specifically targets `schema.arrayOf()` calls that are missing the `maxSize` option in the second argument. It excludes configuration files (`config.ts`) and plugin entry points (`server/index.ts`) as these typically handle trusted internal configuration rather than external user input.
+The query specifically targets `schema.arrayOf()` calls that are missing the `maxSize` option in the second argument. It uses a shared exclusion list (defined in `KibanaDoSExclusions.qll`) to skip files whose schemas are known to never validate HTTP request payloads, such as saved-object attribute schemas, plugin configuration, UI settings definitions, content-management layer schemas, and similar structural/data-at-rest categories. See that file for the full set of excluded path patterns.
 
 ## Recommendation
 
@@ -119,6 +119,19 @@ router.post({
 }, handler);
 ```
 
+## False positives and suppression
+
+This query intentionally casts a wide net — it flags all unbounded `schema.arrayOf()` calls except those in file paths that are clearly non-payload contexts. Some findings will be in schemas that validate route **responses**, saved-object attributes in shared files, or other non-request-payload contexts. These are expected false positives.
+
+To suppress a legitimate false positive, add a `codeql[...]` comment on the line above the flagged call:
+
+```javascript
+// codeql[js/kibana/unbounded-array-in-schema] internal registration — not route input
+schema.arrayOf(schema.string())
+```
+
+The exclusion list in `KibanaDoSExclusions.qll` is maintained conservatively and may be updated as new non-payload schema patterns are identified. If you encounter a false positive that affects an entire file category (not a one-off), consider proposing an addition to the shared exclusion library rather than adding per-line suppressions.
+
 ## References
 
 - [OWASP: Denial of Service Attacks](https://owasp.org/www-community/attacks/Denial_of_Service)

.github/codeql/custom-queries/dos/UnboundedArrayInRoute.qhelp

@@ -19,10 +19,19 @@ requests. This can cause:
 <li>Degraded performance affecting all users of the system</li>
 </ul>
 <p>
-The query specifically targets <code>schema.arrayOf()</code> calls that are missing the 
-<code>maxSize</code> option in the second argument. It excludes configuration files 
-(<code>config.ts</code>) and plugin entry points (<code>server/index.ts</code>) as these 
-typically handle trusted internal configuration rather than external user input.
+The query specifically targets <code>schema.arrayOf()</code> calls that are missing the
+<code>maxSize</code> option in the second argument. It uses a shared exclusion list (defined
+in <code>KibanaDoSExclusions.qll</code>) to skip files whose schemas are known to never validate
+HTTP request payloads, such as saved-object attribute schemas, plugin configuration, UI settings
+definitions, content-management layer schemas, and similar structural/data-at-rest categories.
+See that file for the full set of excluded path patterns.
+</p>
+<p>
+Some findings will be in schemas that validate route <b>responses</b> or other non-request-payload
+contexts. These are expected false positives. To suppress a legitimate false positive, add a
+<code>codeql[js/kibana/unbounded-array-in-schema]</code> comment on the line above the flagged
+call. If a false positive affects an entire file category, consider proposing an addition to
+<code>KibanaDoSExclusions.qll</code> rather than adding per-line suppressions.
 </p>
 </overview>
 

.github/codeql/custom-queries/dos/UnboundedArrayInRoute.ql

@@ -14,6 +14,7 @@
  */
 
 import javascript
+import dos.KibanaDoSExclusions
 
 /**
  * Gets the local variable bound to 'schema' imported from '@kbn/config-schema'
@@ -22,7 +23,11 @@ LocalVariable schemaVariable() {
   exists(ImportDeclaration decl, ImportSpecifier spec |
     decl.getImportedPathExpr().getStringValue() = "@kbn/config-schema" and
     spec = decl.getASpecifier() and
-    spec.getImportedName() = "schema" and
+    (
+      spec.getImportedName() = "schema"
+      or
+      spec instanceof ImportNamespaceSpecifier
+    ) and
     result = spec.getLocal().getVariable()
   )
 }
@@ -54,25 +59,10 @@ class SchemaArrayOfCall extends CallExpr {
   }
 }
 
-/**
- * Identifies files that should be excluded from analysis:
- * - config.ts files (plugin configuration, not request validation)
- * - index.ts files at plugin server root (typically re-exports)
- */
-predicate isInExcludedFile(Expr e) {
-  e.getFile().getBaseName() = "config.ts"
-  or
-  // Exclude index.ts at plugin server root: plugins/*/server/index.ts or plugins/*/*/server/index.ts
-  (
-    e.getFile().getBaseName() = "index.ts" and
-    e.getFile().getRelativePath().regexpMatch(".*/plugins/[^/]+(/[^/]+)?/server/index\\.ts")
-  )
-}
-
 from SchemaArrayOfCall arrayCall
 where
   not arrayCall.hasMaxSize() and
-  not isInExcludedFile(arrayCall)
+  not shouldExcludeFileFromDoSRules(arrayCall)
 select arrayCall,
   "This schema.arrayOf() call does not specify a maxSize. Unbounded input can cause Denial of Service (DoS) vulnerabilities. Consider adding { maxSize: N } as the second argument."