From 8f2e3d54c935885ba948de0d1d39a73cee068355 Mon Sep 17 00:00:00 2001 From: Nathan L Smith Date: Wed, 25 Sep 2024 16:30:52 -0500 Subject: [PATCH] Fix code scanning alert no. 456: Incomplete string escaping or encoding (#193909) Fixes [https://github.com/elastic/kibana/security/code-scanning/456](https://github.com/elastic/kibana/security/code-scanning/456) To fix the problem, we need to ensure that backslashes are also escaped in the `value` string. This can be done by first replacing backslashes with double backslashes and then replacing double quotes with escaped double quotes. This ensures that all occurrences of backslashes and double quotes are properly escaped. - Modify the `value.replace` call to first escape backslashes and then escape double quotes. - The changes will be made in the `createFilterFromOptions` function, specifically on line 128. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> (cherry picked from commit 7458ff11174fe184afe4ec93c858f89063296abe) # Conflicts: # x-pack/plugins/infra/public/pages/metrics/metrics_explorer/components/helpers/create_tsvb_link.ts --- .../metrics_explorer/components/helpers/create_tsvb_link.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/components/helpers/create_tsvb_link.ts b/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/components/helpers/create_tsvb_link.ts index 84d87ee4ad1b7..4c3551db3cbcd 100644 --- a/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/components/helpers/create_tsvb_link.ts +++ b/x-pack/plugins/infra/public/pages/metrics/metrics_explorer/components/helpers/create_tsvb_link.ts @@ -125,7 +125,7 @@ export const createFilterFromOptions = ( if (!value) { return null; } - return `${field}: "${value.replace('"', '\\"')}"`; + return `${field}: "${value.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`; }) .join(' and ') : `${options.groupBy} : "${id}"`;