From c41c5c2f6d0c8cd8b7fdb9a20b38c242b51da28c Mon Sep 17 00:00:00 2001 From: Bharathwaj G Date: Thu, 25 May 2023 14:53:06 +0530 Subject: [PATCH] fixing input validation in segments and delete pit request (#6645) * fixing input validation in segments and delete pit request Signed-off-by: Bharathwaj G --- CHANGELOG.md | 1 + .../indices/segments/TransportPitSegmentsAction.java | 9 ++++++--- .../action/search/TransportDeletePitAction.java | 9 ++++++--- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ac6ac2632403f..526b4be689cc4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -144,6 +144,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Replaces ZipInputStream with ZipFile to fix Zip Slip vulnerability ([#7230](https://github.com/opensearch-project/OpenSearch/pull/7230)) - Add missing validation/parsing of SearchBackpressureMode of SearchBackpressureSettings ([#7541](https://github.com/opensearch-project/OpenSearch/pull/7541)) - [Search Pipelines] Better exception handling in search pipelines ([#7735](https://github.com/opensearch-project/OpenSearch/pull/7735)) +- Fix input validation in segments and delete pit request ([#6645](https://github.com/opensearch-project/OpenSearch/pull/6645)) ### Security diff --git a/server/src/main/java/org/opensearch/action/admin/indices/segments/TransportPitSegmentsAction.java b/server/src/main/java/org/opensearch/action/admin/indices/segments/TransportPitSegmentsAction.java index 5c22a39cf3a40..d843b3a9452a5 100644 --- a/server/src/main/java/org/opensearch/action/admin/indices/segments/TransportPitSegmentsAction.java +++ b/server/src/main/java/org/opensearch/action/admin/indices/segments/TransportPitSegmentsAction.java @@ -44,8 +44,10 @@ import java.io.IOException; import java.util.ArrayList; import java.util.Collections; +import java.util.LinkedHashSet; import java.util.List; import java.util.Map; +import java.util.Set; import java.util.stream.Collectors; import static org.opensearch.action.search.SearchContextId.decode; @@ -94,8 +96,7 @@ public TransportPitSegmentsAction( */ @Override protected void doExecute(Task task, PitSegmentsRequest request, ActionListener listener) { - List pitIds = request.getPitIds(); - if (pitIds.size() == 1 && "_all".equals(pitIds.get(0))) { + if (request.getPitIds().size() == 1 && "_all".equals(request.getPitIds().get(0))) { pitService.getAllPits(ActionListener.wrap(response -> { request.clearAndSetPitIds(response.getPitInfos().stream().map(ListPitInfo::getPitId).collect(Collectors.toList())); super.doExecute(task, request, listener); @@ -114,7 +115,9 @@ protected void doExecute(Task task, PitSegmentsRequest request, ActionListener iterators = new ArrayList<>(); - for (String pitId : request.getPitIds()) { + // remove duplicates from the request + Set uniquePitIds = new LinkedHashSet<>(request.getPitIds()); + for (String pitId : uniquePitIds) { SearchContextId searchContext = decode(namedWriteableRegistry, pitId); for (Map.Entry entry : searchContext.shards().entrySet()) { final SearchContextIdForNode perNode = entry.getValue(); diff --git a/server/src/main/java/org/opensearch/action/search/TransportDeletePitAction.java b/server/src/main/java/org/opensearch/action/search/TransportDeletePitAction.java index b85fe302a748f..217fcc1489df7 100644 --- a/server/src/main/java/org/opensearch/action/search/TransportDeletePitAction.java +++ b/server/src/main/java/org/opensearch/action/search/TransportDeletePitAction.java @@ -18,8 +18,10 @@ import java.util.ArrayList; import java.util.HashMap; +import java.util.LinkedHashSet; import java.util.List; import java.util.Map; +import java.util.Set; import java.util.stream.Collectors; /** @@ -46,8 +48,7 @@ public TransportDeletePitAction( */ @Override protected void doExecute(Task task, DeletePitRequest request, ActionListener listener) { - List pitIds = request.getPitIds(); - if (pitIds.size() == 1 && "_all".equals(pitIds.get(0))) { + if (request.getPitIds().size() == 1 && "_all".equals(request.getPitIds().get(0))) { deleteAllPits(listener); } else { deletePits(listener, request); @@ -59,7 +60,9 @@ protected void doExecute(Task task, DeletePitRequest request, ActionListener listener, DeletePitRequest request) { Map> nodeToContextsMap = new HashMap<>(); - for (String pitId : request.getPitIds()) { + // remove duplicates from the request + Set uniquePitIds = new LinkedHashSet<>(request.getPitIds()); + for (String pitId : uniquePitIds) { SearchContextId contextId = SearchContextId.decode(namedWriteableRegistry, pitId); for (SearchContextIdForNode contextIdForNode : contextId.shards().values()) { PitSearchContextIdForNode pitSearchContext = new PitSearchContextIdForNode(pitId, contextIdForNode);