kibana
kibana copied to clipboard
elastic
[Core] Hostname is not escaped before setting header
Kibana sets the value of the kbn-name header to the system's hostname. If this hostname contains an invalid character (like '), all requests will fail with a 500 status code. Example of a hostname that causes the issue: Coen's-Macbook-Local-Pro.
Some pointers:
the server name comes from the server.name configuration option, which defaults to os.hostname():
https://github.com/elastic/kibana/blob/84db06c15d04bcaa011c41daf13ad1521deba604/packages/core/http/core-http-server-internal/src/http_config.ts#L37
The kbn-name header is set by an internal pre-response handler:
https://github.com/elastic/kibana/blob/84db06c15d04bcaa011c41daf13ad1521deba604/packages/core/http/core-http-server-internal/src/lifecycle_handlers.ts#L66-L71
Which, in the end, is applied to the HAPI response object using the official ResponseObject.header() API, here:
https://github.com/elastic/kibana/blob/84db06c15d04bcaa011c41daf13ad1521deba604/packages/core/http/core-http-server-internal/src/lifecycle/on_pre_response.ts#L121-L125
So the question is: why isn't HAPI itself properly handling / escaping invalid characters, and should it?
Given that Linux hostnames must be [a-z][0-9][-] this would be limited to running Kibana on OSX https://man7.org/linux/man-pages/man7/hostname.7.html#:~:text=Each%20element%20of%20the%20hostname,not%20start%20with%20a%20hyphen.
We should look into a few things:
- Would upstream hapi consider this a bug that could be fixed?
- How are these errors not getting properly surfaced?
- Can we strip out these chars Kibana-side for the time being?
@lukeelmers @pgayvallet regardless of whose responsibility it is to fix, if this is easy, can we patch this on our side sooner than later? This is really confusing to folks on new machines, and those are especially folks new to the company/Kibana.
Even if not fixed, should log something to point users in the right direction.
can we patch this on our side sooner than later?
@dgieselaar I'm hoping to have this addressed in the next 3 weeks -- we are meeting on Tuesday to confirm our plans for that timeframe.
Okay, so with just a bit of investigation: The actual 'single quote' char used in the default computer name in macOS settings is not a single quote (ascii 39), but a ’ (code 8217), which is absolutely not allowed in headers (or in hostnames if we follow the unix specification, FWIW...)
FWIW, on macOS 10/11, this 'computer name' thing doesn't seem to be used as hostname (at least hostname or scutil --get HostName from a terminal doesn't reflect it). But it seems to be the case on macOS 12, apparently.
Fun thing is, when pasting this is slack, the 8217 seems to be automatically converted to 39, which leads to more misleads.
Adding
server.name: "Pierre’s MacBook Pro"
to my config reproduce the issue:
To unblock the dev experience, I will open a PR to remove all non-ascii characters from the default value for the server.name configuration option (feels very safe, given unix hostnames don't have non-ascii chars, and, well, I don't think anyone uses a mac in production, and they would be affected if they do anyway). This will allow us to be less stressed by time to look at the issue at a whole here.
Lowering the impact on this issue as the short term solution in https://github.com/elastic/kibana/pull/141350 has unblocked the dev experience for now.
