Additional information is collected when host details are updated using
the queries specified in the Fleet configuration. This additional
information is then available in the host API responses.
This adds a SQL injection prevention for a case in which we cannot use
parameters in the query.
It is not clear that this was possible to exploit. If it was possible,
it would have required a valid login to the Fleet server.
Fleet does not use CGO. In some build situations, not explicitly
disabling CGO results in binaries that have linking errors when running
on an Alpine Docker container. This change should fix the build for
those containers.
Previously a Go package attempting to import Fleet packages would run
into an error like "server/kolide/emails.go:93:23: undefined: Asset".
This commit refactors bindata asset handling to allow importing Fleet as
a library without changing the typical developer experience.
Added a feature to select queries by name. If --query-name flag is defined, fleetctl makes a call to get the query already saved in Fleet, and then, if it exists, fill flQuery variable with the selected query statement.
Closes#2175
- Add toggle to disable live queries in advanced settings
- Add new live query status endpoint (checks for disabled via config and Redis health)
- Update QueryPage UI to use new live query status endpoint
Implements #2140
Update the github.com/russellhaering/goxmldsig dependency and apply
the appropriate fixes for the API changes.
This is a preparation for integration with
github.com/AbGuthrie/goquery, which uses a newer version of the
dependency.
- Add logging for new campaigns
- Add logging for new query creations/modification/deletion
- Add usernames for logs found in labels, options, packs, osquery options, queries and scheduled queries where something is created, modified or deleted
There was a prototype pollution vulnerability in 4.17.11 that is
unlikely to have high impact on Fleet due to all JS executing on the
client side. Upgrading lodash to satisfy security warnings from
Github.
Previously this was disabled (perhaps unintentionally due to the
duplicate settings in the .eslintrc.js). Enable the lint rule and fix
the violations.
May fix JS build issues on case-sensitive filesystems.
- Add the server_url_prefix flag for configuring this functionality
- Add prefix handling to the server routes
- Refactor JS to use appropriate paths from modules
- Use JS template to get URL prefix into JS environment
- Update webpack config to support prefixing
Thanks to securityonion.net for sponsoring the development of this feature.
Closes#1661
