fix: add maxSize to unbounded arrayOf in prebuilt rule assets schema

nikitaindik · nikitaindik · commit cb124ca1185b · 2026-03-03T12:10:39.000+01:00
Adds a maxSize constraint to the tags field in the prebuilt rule assets saved object schema to resolve CodeQL alert #2072 (unbounded-array-in-schema). Made-with: Cursor
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/rule_assets/prebuilt_rule_assets_type.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/rule_assets/prebuilt_rule_assets_type.ts
@@ -11,6 +11,14 @@ import type { SavedObjectsType } from '@kbn/core/server';
 
 export const PREBUILT_RULE_ASSETS_SO_TYPE = 'security-rule';
 
+/**
+ * Upper bound for the number of tags per prebuilt rule asset.
+ * In practice, prebuilt rule assets typically have fewer than 15 tags.
+ * This limit exists to satisfy the "unbounded-array-in-schema" CodeQL check.
+ * See: https://github.com/elastic/kibana/security/code-scanning/2072
+ */
+const MAX_TAGS_PER_RULE = 100;
+
 const securityRuleV1 = schema.object(
   {
     rule_id: schema.string(),
@@ -22,7 +30,7 @@ const securityRuleV1 = schema.object(
 const securityRuleV2 = securityRuleV1.extends(
   {
     name: schema.string(),
-    tags: schema.maybe(schema.arrayOf(schema.string())),
+    tags: schema.maybe(schema.arrayOf(schema.string(), { maxSize: MAX_TAGS_PER_RULE })),
     severity: schema.string(),
     risk_score: schema.number(),
   },
