Sanitize report's inputs and usernames - 3.13.x

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 All notable changes to the Wazuh app project will be documented in this file.
 
+## Wazuh v3.13.5 - Kibana 7.9.2 - Revision 889
+
+- Sanitize report's inputs and usernames [#4336](https://github.com/wazuh/wazuh-kibana-app/pull/4336)
+
 ## Wazuh v3.13.2 - Kibana v7.9.2 - Revision 887
 
 ### Added

README.md

@@ -87,9 +87,9 @@ This plugin for Kibana allows you to visualize and analyze Wazuh alerts stored i
 
 ## Requisites
 
-- Wazuh HIDS 3.13.2
-- Wazuh RESTful API 3.13.2
-- Kibana 7.9.1
+- Wazuh HIDS 3.13.5
+- Wazuh RESTful API 3.13.5
+- Kibana 7.9.3
 - Elasticsearch 7.9.2
 
 ## Installation
@@ -98,7 +98,7 @@ Install the Wazuh app plugin for Kibana
 
 ```
 cd /usr/share/kibana
-sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.2_7.9.2.zip
+sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.5_7.9.2.zip
 ```
 
 Restart Kibana
@@ -164,7 +164,7 @@ Install the Wazuh app
 
 ```
 cd /usr/share/kibana/
-sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.2_7.9.2.zip
+sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.5_7.9.2.zip
 ```
 
 Update configuration file permissions.
@@ -193,6 +193,9 @@ service kibana restart
 
 | Wazuh app | Kibana | Open Distro | Package                                                         |
 | :-------: | :----: | :---------: | :-------------------------------------------------------------- |
+|   3.13.5  |  7.9.2 |             | <https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.5_7.9.2.zip> |
+|   3.13.4  |  7.9.2 |             | <https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.4_7.9.2.zip> |
+|   3.13.3  |  7.9.2 |             | <https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.3_7.9.2.zip> |
 |   3.13.2  |  7.9.2 |             | <https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.2_7.9.2.zip> |
 |   3.13.2  |  7.9.1 |             | <https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.2_7.9.1.zip> |
 |   3.13.2  |  7.8.0 |             | <https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.2_7.8.0.zip> |

package.json

@@ -1,8 +1,8 @@
 {
   "name": "wazuh",
-  "version": "3.13.2",
-  "revision": "0886",
-  "code": "0886-0",
+  "version": "3.13.5",
+  "revision": "0889",
+  "code": "0889-0",
   "kibana": {
     "version": "7.9.2"
   },
@@ -37,7 +37,8 @@
     "test": "_mocha test/**/*",
     "test:ui:runner": "node ../../scripts/functional_test_runner.js",
     "test:server": "plugin-helpers test:server",
-    "test:browser": "plugin-helpers test:browser"
+    "test:browser": "plugin-helpers test:browser",
+    "test:jest": "node test/jest/jest"
   },
   "dependencies": {
     "angular-animate": "1.7.8",

public/react-services/reporting.js

@@ -93,16 +93,11 @@ export class ReportingService {
       );
 
       const array = await this.vis2png.checkArray(idArray);
-      const name = `wazuh-${
-        isAgents ? 'agents' : 'overview'
-      }-${tab}-${(Date.now() / 1000) | 0}.pdf`;
 
       const browserTimezone = moment.tz.guess(true);
 
       const data = {
         array,
-        name,
-        title: isAgents ? `Agents ${tab}` : `Overview ${tab}`,
         filters: appliedFilters.filters,
         time: appliedFilters.time,
         searchBar: appliedFilters.searchBar,
@@ -138,26 +133,17 @@ export class ReportingService {
       this.$rootScope.reportStatus = 'Generating PDF document...';
       this.$rootScope.$applyAsync();
 
-      const docType =
-        type === 'agentConfig'
-          ? `wazuh-agent-${obj.id}`
-          : `wazuh-group-${obj.name}`;
-
-      const name = `${docType}-configuration-${(Date.now() / 1000) | 0}.pdf`;
       const browserTimezone = moment.tz.guess(true);
 
       const data = {
         array: [],
-        name,
-        filters: [
-          type === 'agentConfig' ? { agent: obj.id } : { group: obj.name }
-        ],
         time: '',
         searchBar: '',
         tables: [],
         tab: type,
         browserTimezone,
-        components
+        components,
+        ...(type === 'agentConfig' ? { agentID: obj.id } : { groupID: obj.name })
       };
 
       await this.genericReq.request('POST', '/reports', data);

public/services/reporting.js

@@ -85,16 +85,11 @@ export class ReportingService {
       );
 
       const array = await this.vis2png.checkArray(idArray);
-      const name = `wazuh-${
-        isAgents ? 'agents' : 'overview'
-      }-${tab}-${(Date.now() / 1000) | 0}.pdf`;
 
       const browserTimezone = moment.tz.guess(true);
 
       const data = {
         array,
-        name,
-        title: isAgents ? `Agents ${tab}` : `Overview ${tab}`,
         filters: appliedFilters.filters,
         time: appliedFilters.time,
         searchBar: appliedFilters.searchBar,
@@ -129,26 +124,17 @@ export class ReportingService {
       this.$rootScope.reportStatus = 'Generating PDF document...';
       this.$rootScope.$applyAsync();
 
-      const docType =
-        type === 'agentConfig'
-          ? `wazuh-agent-${obj.id}`
-          : `wazuh-group-${obj.name}`;
-
-      const name = `${docType}-configuration-${(Date.now() / 1000) | 0}.pdf`;
       const browserTimezone = moment.tz.guess(true);
 
       const data = {
         array: [],
-        name,
-        filters: [
-          type === 'agentConfig' ? { agent: obj.id } : { group: obj.name }
-        ],
         time: '',
         searchBar: '',
         tables: [],
         tab: type,
         browserTimezone,
-        components
+        components,
+        ...(type === 'agentConfig' ? { agentID: obj.id } : { groupID: obj.name })
       };
 
       await this.genericReq.request('POST', '/reports', data);

server/controllers/wazuh-reporting.js

@@ -1862,6 +1862,7 @@ export class WazuhReportingCtrl {
    * @returns {Object} pdf or ErrorResponse
    */
   async report(req, reply) {
+    let pathFilename;
     try {
       log('reporting:report', `Report started`, 'info');
       // Init
@@ -1886,7 +1887,7 @@ export class WazuhReportingCtrl {
       if (req.payload && req.payload.array) {
         const payload = (req || {}).payload || {};
         const headers = (req || {}).headers || {};
-        const { name, tab, section, isAgents, browserTimezone } = payload;
+        const { tab, section, isAgents, browserTimezone, agentID, groupID } = payload;
         const apiId = headers.id || false;
         const pattern = headers.pattern || false;
         const from = (payload.time || {}).from || false;
@@ -1895,6 +1896,20 @@ export class WazuhReportingCtrl {
         const isAgentConfig = tab === 'agentConfig';
         const isGroupConfig = tab === 'groupConfig';
 
+        // Generate the filename of report depeding on request parameters
+        const filename = tab === 'syscollector'
+          ? `wazuh-agent-inventory-${isAgents}-${this.generateReportTimestamp()}.pdf`
+          : (isAgentConfig
+            ? `wazuh-agent-configuration-${agentID}-${this.generateReportTimestamp()}.pdf`
+            : ( isGroupConfig
+              ? `wazuh-group-configuration-${groupID}-${this.generateReportTimestamp()}.pdf`
+              : `wazuh-module-${isAgents ? `agents-${isAgents}` : 'overview'}-${tab}-${this.generateReportTimestamp()}.pdf`
+              )
+            );
+
+        // Generate the path to filename
+        pathFilename = path.join(__dirname, REPORTING_PATH, filename);
+
         // Pass the namespace if present to all the requesters
         if (pattern) {
           const spaces = this.server.plugins.spaces;
@@ -1921,10 +1936,6 @@ export class WazuhReportingCtrl {
           throw new Error(
             'Reporting needs a valid Wazuh API ID in order to work properly'
           );
-        if (!name)
-          throw new Error(
-            'Reporting needs a valid file name in order to work properly'
-          );
 
         let tables = [];
         if (isGroupConfig) {
@@ -1940,19 +1951,18 @@ export class WazuhReportingCtrl {
             labels: 'Labels',
             sca: 'Security configuration assessment'
           };
-          const g_id = kfilters[0].group;
           kfilters = [];
           const enabledComponents = req.payload.components;
           this.dd.content.push({
-            text: `Group ${g_id} configuration`,
+            text: `Group ${groupID} configuration`,
             style: 'h1'
           });
           if (enabledComponents['0']) {
             let configuration = {};
             try {
               configuration = await this.apiRequest.makeGenericRequest(
                 'GET',
-                `/agents/groups/${g_id}/configuration`,
+                `/agents/groups/${groupID}/configuration`,
                 {},
                 apiId
               );
@@ -2150,7 +2160,7 @@ export class WazuhReportingCtrl {
             try {
               agentsInGroup = await this.apiRequest.makeGenericRequest(
                 'GET',
-                `/agents/groups/${g_id}`,
+                `/agents/groups/${groupID}`,
                 {},
                 apiId
               );
@@ -2159,7 +2169,7 @@ export class WazuhReportingCtrl {
             }
             await this.renderHeader(
               tab,
-              g_id,
+              groupID,
               (((agentsInGroup || []).data || []).items || []).map(x => x.id),
               apiId
             );
@@ -2168,12 +2178,11 @@ export class WazuhReportingCtrl {
         if (isAgentConfig) {
           const configurations = AgentConfiguration.configurations;
           const enabledComponents = req.payload.components;
-          const a_id = kfilters[0].agent;
           let wmodules = {};
           try {
             wmodules = await this.apiRequest.makeGenericRequest(
               'GET',
-              `/agents/${a_id}/config/wmodules/wmodules`,
+              `/agents/${agentID}/config/wmodules/wmodules`,
               {},
               apiId
             );
@@ -2182,7 +2191,7 @@ export class WazuhReportingCtrl {
           }
 
           kfilters = [];
-          await this.renderHeader(tab, tab, a_id, apiId);
+          await this.renderHeader(tab, tab, agentID, apiId);
           let idxComponent = 0;
           for (let config of configurations) {
             let titleOfSection = false;
@@ -2211,7 +2220,7 @@ export class WazuhReportingCtrl {
                     if (!conf['name']) {
                       data = await this.apiRequest.makeGenericRequest(
                         'GET',
-                        `/agents/${a_id}/config/${conf.component}/${conf.configuration}`,
+                        `/agents/${agentID}/config/${conf.component}/${conf.configuration}`,
                         {},
                         apiId
                       );
@@ -2692,25 +2701,16 @@ export class WazuhReportingCtrl {
 
         const pdfDoc = this.printer.createPdfKitDocument(this.dd);
         await pdfDoc.pipe(
-          fs.createWriteStream(
-            path.join(__dirname, REPORTING_PATH + '/' + req.payload.name)
-          )
+          fs.createWriteStream(pathFilename)
         );
         pdfDoc.end();
       }
       return { error: 0, data: null };
     } catch (error) {
       log('reporting:report', error.message || error);
       // Delete generated file if an error occurred
-      if (
-        ((req || {}).payload || {}).name &&
-        fs.existsSync(
-          path.join(__dirname, REPORTING_PATH + '/' + req.payload.name)
-        )
-      ) {
-        fs.unlinkSync(
-          path.join(__dirname, REPORTING_PATH + '/' + req.payload.name)
-        );
+      if ( pathFilename && fs.existsSync(pathFilename) ) {
+        fs.unlinkSync(pathFilename);
       }
       return ErrorResponse(error.message || error, 5029, 500, reply);
     }
@@ -2796,4 +2796,12 @@ export class WazuhReportingCtrl {
       return ErrorResponse(error.message || error, 5032, 500, reply);
     }
   }
+
+  /**
+   * Generate a current timestamp in seconds
+   * @returns 
+   */
+  generateReportTimestamp(){
+    return `${(Date.now() / 1000) | 0}`;
+  }
 }