Skip to content

Always consume the body in has privileges #50298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Dec 18, 2019
Merged

Always consume the body in has privileges #50298

merged 3 commits into from
Dec 18, 2019

Conversation

@jasontedor
Copy link
Member

@jasontedor jasontedor commented Dec 18, 2019

Our REST infrastructure will reject requests that have a body where the body of the request is never consumed. This ensures that we reject requests on endpoints that do not support having a body. This requires cooperation from the REST handlers though, to actually consume the body, otherwise the REST infrastructure will proceed with rejecting the request. This commit addresses an issue in the has privileges API where we would prematurely try to reject a request for not having a username, before consuming the body. Since the body was not consumed, the REST infrastructure would instead reject the request as a bad request.

Closes #50288

@jasontedor
Always consume the body in has privileges
6b3239e 
Our REST infrastructure will reject requests that have a body where the
body of the request is never consumed. This ensures that we reject
requests on endpoints that do not support having a body. This requires
cooperation from the REST handlers though, to actually consume the body,
otherwise the REST infrastructure will proceed with rejecting the
request. This commit addresses an issue in the has privileges API where
we would prematurely try to reject a request for not having a username,
before consuming the body. Since the body was not consumed, the REST
infrastructure would instead reject the request as a bad request.
@jasontedor jasontedor added >bug :Security/Security Security issues without another label v8.0.0 v7.6.0 v7.5.2 labels Dec 18, 2019
@elasticmachine
Copy link
Collaborator

elasticmachine commented Dec 18, 2019

Pinging @elastic/es-security (:Security/Security)

@jasontedor
Copy link
Member Author

jasontedor commented Dec 18, 2019

@elasticmachine run elasticsearch-ci/bwc

tvernum
tvernum approved these changes Dec 18, 2019
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jasontedor jasontedor merged commit 4861a25 into elastic:master Dec 18, 2019
jasontedor added a commit that referenced this pull request Dec 18, 2019
@jasontedor
Always consume the body in has privileges (#50298)
7c5a3bc 
Our REST infrastructure will reject requests that have a body where the
body of the request is never consumed. This ensures that we reject
requests on endpoints that do not support having a body. This requires
cooperation from the REST handlers though, to actually consume the body,
otherwise the REST infrastructure will proceed with rejecting the
request. This commit addresses an issue in the has privileges API where
we would prematurely try to reject a request for not having a username,
before consuming the body. Since the body was not consumed, the REST
infrastructure would instead reject the request as a bad request.
jasontedor added a commit that referenced this pull request Dec 18, 2019
@jasontedor
Always consume the body in has privileges (#50298)
f2ad94e 
Our REST infrastructure will reject requests that have a body where the
body of the request is never consumed. This ensures that we reject
requests on endpoints that do not support having a body. This requires
cooperation from the REST handlers though, to actually consume the body,
otherwise the REST infrastructure will proceed with rejecting the
request. This commit addresses an issue in the has privileges API where
we would prematurely try to reject a request for not having a username,
before consuming the body. Since the body was not consumed, the REST
infrastructure would instead reject the request as a bad request.
@jasontedor jasontedor deleted the rest-has-privileges-consume-body branch December 18, 2019 14:51
SivagurunathanV pushed a commit to SivagurunathanV/elasticsearch that referenced this pull request Jan 23, 2020
@jasontedor @SivagurunathanV
Always consume the body in has privileges (elastic#50298)
5932d49 
Our REST infrastructure will reject requests that have a body where the
body of the request is never consumed. This ensures that we reject
requests on endpoints that do not support having a body. This requires
cooperation from the REST handlers though, to actually consume the body,
otherwise the REST infrastructure will proceed with rejecting the
request. This commit addresses an issue in the has privileges API where
we would prematurely try to reject a request for not having a username,
before consuming the body. Since the body was not consumed, the REST
infrastructure would instead reject the request as a bad request.
This was referenced Feb 3, 2020
Closed
Closed
@chrisronline chrisronline mentioned this pull request Mar 18, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tvernum tvernum tvernum approved these changes

Assignees

No one assigned

Labels

>bug :Security/Security Security issues without another label v7.5.2 v7.6.0 v8.0.0-alpha1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security api responses when security is disabled

4 participants

@jasontedor @elasticmachine @tvernum @jakelandis