Skip to content

Create Security Role API allows malformed/invalid query JSON #34252

New issue
New issue
Closed
#46275
Closed
Create Security Role API allows malformed/invalid query JSON#34252
#46275
Assignees
bizybot
Labels
:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABAC>bug
@tsouza

Description

@tsouza
tsouza
opened on Oct 3, 2018

Elasticsearch version (bin/elasticsearch --version):
Version: 6.4.1, Build: default/tar/e36acdb/2018-09-13T22:18:07.696808Z, JVM: 10.0.1
Version: 6.3.0, Build: default/tar/424e937/2018-06-11T23:38:03.357887Z, JVM: 10.0.1

Plugins installed: []

JVM version (java -version):

java version "10.0.1" 2018-04-17
Java(TM) SE Runtime Environment 18.3 (build 10.0.1+10)
Java HotSpot(TM) 64-Bit Server VM 18.3 (build 10.0.1+10, mixed mode)

OS version (uname -a if on a Unix-like system):

Darwin ElasticMBP 17.7.0 Darwin Kernel Version 17.7.0: Thu Jun 21 22:53:14 PDT 2018; root:xnu-4570.71.2~1/RELEASE_X86_64 x86_64

Description of the problem including expected versus actual behavior:

The Create or update roles API will allow defining a malformed/invalid query JSON in it's query attribute definition. Any query that is executed by a user with a role that has a malformed/invalid JSON in query attribute will always fail.

The expected is that the attempt to create a role should always fail if it defines a malformed/invalid JSON in it's query attribute.

Additionally, the same is observed if a query attribute is defined with a correct JSON syntax but it's an invalid/unknown Elasticsearch query .

Note: This has been observed both in 6.3.0 and 6.4.1

Steps to reproduce:

  1. Create a role with a malformed/invalid JSON in it's query attribute:
POST /_xpack/security/role/test
{
  "indices" : [
    {
      "names" : [ "test-*" ],
      "privileges" : [ "read" ],
      "query": "{ malformed JSON }"
    }
  ]
}

Elasticsearch will accept the role definition and respond with:

{
  "role": {
    "created": true
  }
}
  1. Create a user with the role:
POST _xpack/security/user/test
{
  "password": "123456",
  "roles": [ "test" ]
}
  1. Index some test document:
POST test-1/doc
{
  "test": "doc"
}
  1. Test a search with user test. The search will fail since the resulting query is invalid:
$ curl -u test:123456 localhost:9200/test-1/_search
{"error":{"root_cause":[{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@49bcb51e; line: 1, column: 4]"},{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@52014fcf; line: 1, column: 4]"},{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@56e9f409; line: 1, column: 4]"},{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@34d339df; line: 1, column: 4]"},{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@32068a2e; line: 1, column: 4]"}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"test-1","node":"tZDWdiboSy2tuPtyrL4nUQ","reason":{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@49bcb51e; line: 1, column: 4]","caused_by":{"type":"json_parse_exception","reason":"Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@49bcb51e; line: 1, column: 4]"}}},{"shard":1,"index":"test-1","node":"tZDWdiboSy2tuPtyrL4nUQ","reason":{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@52014fcf; line: 1, column: 4]","caused_by":{"type":"json_parse_exception","reason":"Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@52014fcf; line: 1, column: 4]"}}},{"shard":2,"index":"test-1","node":"tZDWdiboSy2tuPtyrL4nUQ","reason":{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@56e9f409; line: 1, column: 4]","caused_by":{"type":"json_parse_exception","reason":"Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@56e9f409; line: 1, column: 4]"}}},{"shard":3,"index":"test-1","node":"tZDWdiboSy2tuPtyrL4nUQ","reason":{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@34d339df; line: 1, column: 4]","caused_by":{"type":"json_parse_exception","reason":"Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@34d339df; line: 1, column: 4]"}}},{"shard":4,"index":"test-1","node":"tZDWdiboSy2tuPtyrL4nUQ","reason":{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@32068a2e; line: 1, column: 4]","caused_by":{"type":"json_parse_exception","reason":"Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@32068a2e; line: 1, column: 4]"}}}]},"status":500}

Provide logs (if relevant):

[2018-10-02T21:11:59,619][WARN ][r.suppressed             ] path: /test-1/_search, params: {index=test-1}
org.elasticsearch.action.search.SearchPhaseExecutionException: all shards failed
	at org.elasticsearch.action.search.AbstractSearchAsyncAction.onPhaseFailure(AbstractSearchAsyncAction.java:293) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.AbstractSearchAsyncAction.executeNextPhase(AbstractSearchAsyncAction.java:133) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.AbstractSearchAsyncAction.onPhaseDone(AbstractSearchAsyncAction.java:254) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.InitialSearchPhase.onShardFailure(InitialSearchPhase.java:101) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.InitialSearchPhase.access$100(InitialSearchPhase.java:48) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.InitialSearchPhase$2.lambda$onFailure$1(InitialSearchPhase.java:222) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.InitialSearchPhase.maybeFork(InitialSearchPhase.java:176) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.InitialSearchPhase.access$000(InitialSearchPhase.java:48) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.InitialSearchPhase$2.onFailure(InitialSearchPhase.java:222) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.SearchExecutionStatsCollector.onFailure(SearchExecutionStatsCollector.java:73) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.ActionListenerResponseHandler.handleException(ActionListenerResponseHandler.java:51) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.SearchTransportService$ConnectionCountingHandler.handleException(SearchTransportService.java:526) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.transport.TransportService$ContextRestoreResponseHandler.handleException(TransportService.java:1068) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.transport.TransportService$DirectResponseChannel.processException(TransportService.java:1165) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.transport.TransportService$DirectResponseChannel.sendResponse(TransportService.java:1149) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.transport.TaskTransportChannel.sendResponse(TaskTransportChannel.java:66) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.SearchTransportService$6$1.onFailure(SearchTransportService.java:384) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService$2.onFailure(SearchService.java:341) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService$2.onResponse(SearchService.java:335) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService$2.onResponse(SearchService.java:329) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService$3.doRun(SearchService.java:1019) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:723) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.common.util.concurrent.TimedRunnable.doRun(TimedRunnable.java:41) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.4.1.jar:6.4.1]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1135) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
	at java.lang.Thread.run(Thread.java:844) [?:?]
Caused by: org.elasticsearch.ElasticsearchException: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name
 at [Source: java.io.StringReader@49bcb51e; line: 1, column: 4]
	at org.elasticsearch.ExceptionsHelper.convertToElastic(ExceptionsHelper.java:63) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.xpack.core.security.authz.accesscontrol.SecurityIndexSearcherWrapper.wrap(SecurityIndexSearcherWrapper.java:168) ~[?:?]
	at org.elasticsearch.index.shard.IndexSearcherWrapper.wrap(IndexSearcherWrapper.java:76) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.index.shard.IndexShard.acquireSearcher(IndexShard.java:1199) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.index.shard.IndexShard.acquireSearcher(IndexShard.java:1190) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createSearchContext(SearchService.java:616) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createSearchContext(SearchService.java:607) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createContext(SearchService.java:569) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:551) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:347) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService$2.onResponse(SearchService.java:333) ~[elasticsearch-6.4.1.jar:6.4.1]
	... 9 more
Caused by: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name
 at [Source: java.io.StringReader@49bcb51e; line: 1, column: 4]
	at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1702) ~[jackson-core-2.8.10.jar:2.8.10]
	at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:558) ~[jackson-core-2.8.10.jar:2.8.10]
	at com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:456) ~[jackson-core-2.8.10.jar:2.8.10]
	at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddName(ReaderBasedJsonParser.java:1771) ~[jackson-core-2.8.10.jar:2.8.10]
	at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:684) ~[jackson-core-2.8.10.jar:2.8.10]
	at org.elasticsearch.common.xcontent.json.JsonXContentParser.nextToken(JsonXContentParser.java:53) ~[elasticsearch-x-content-6.4.1.jar:6.4.1]
	at org.elasticsearch.xpack.core.security.authz.accesscontrol.SecurityIndexSearcherWrapper.evaluateTemplate(SecurityIndexSearcherWrapper.java:268) ~[?:?]
	at org.elasticsearch.xpack.core.security.authz.accesscontrol.SecurityIndexSearcherWrapper.wrap(SecurityIndexSearcherWrapper.java:135) ~[?:?]
	at org.elasticsearch.index.shard.IndexSearcherWrapper.wrap(IndexSearcherWrapper.java:76) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.index.shard.IndexShard.acquireSearcher(IndexShard.java:1199) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.index.shard.IndexShard.acquireSearcher(IndexShard.java:1190) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createSearchContext(SearchService.java:616) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createSearchContext(SearchService.java:607) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createContext(SearchService.java:569) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:551) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:347) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService$2.onResponse(SearchService.java:333) ~[elasticsearch-6.4.1.jar:6.4.1]
	... 9 more

Metadata

Metadata

Assignees

Labels

:Security/AuthorizationRoles, Privileges, DLS/FLS, RBAC/ABAC>bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions