From de435f1881f9efc85a3e77e876039f868079c55d Mon Sep 17 00:00:00 2001 From: Nathan L Smith Date: Wed, 25 Sep 2024 16:30:52 -0500 Subject: [PATCH] Fix code scanning alert no. 456: Incomplete string escaping or encoding (#193909) Fixes [https://github.com/elastic/kibana/security/code-scanning/456](https://github.com/elastic/kibana/security/code-scanning/456) To fix the problem, we need to ensure that backslashes are also escaped in the `value` string. This can be done by first replacing backslashes with double backslashes and then replacing double quotes with escaped double quotes. This ensures that all occurrences of backslashes and double quotes are properly escaped. - Modify the `value.replace` call to first escape backslashes and then escape double quotes. - The changes will be made in the `createFilterFromOptions` function, specifically on line 128. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> (cherry picked from commit 7458ff11174fe184afe4ec93c858f89063296abe) # Conflicts: # x-pack/plugins/observability_solution/infra/public/pages/metrics/metrics_explorer/components/helpers/create_tsvb_link.ts --- .../metrics_explorer/components/helpers/create_tsvb_link.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/observability_solution/infra/public/pages/metrics/metrics_explorer/components/helpers/create_tsvb_link.ts b/x-pack/plugins/observability_solution/infra/public/pages/metrics/metrics_explorer/components/helpers/create_tsvb_link.ts index ee64069cea737..e07011b6ebc62 100644 --- a/x-pack/plugins/observability_solution/infra/public/pages/metrics/metrics_explorer/components/helpers/create_tsvb_link.ts +++ b/x-pack/plugins/observability_solution/infra/public/pages/metrics/metrics_explorer/components/helpers/create_tsvb_link.ts @@ -125,7 +125,7 @@ export const createFilterFromOptions = ( if (!value) { return null; } - return `${field}: "${value.replace('"', '\\"')}"`; + return `${field}: "${value.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`; }) .join(' and ') : `${options.groupBy} : "${id}"`;