Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relaxed validation for painless script when used in role templates #62845

Merged
merged 1 commit into from
Sep 29, 2020
Merged

Relaxed validation for painless script when used in role templates #62845

merged 1 commit into from
Sep 29, 2020

Conversation

ywangd
Copy link
Member

@ywangd ywangd commented Sep 24, 2020

Role template validation now performs only compilation if the script is painless. It no longer attempts to execute the script with empty input which is problematic. The compliation process will catch things like invalid syntax, undefined variables, which still provide certain level of protection against ill-defined role templates. Behaviour for Mustache script is unchanged.

Since we are not ready to promote this feature, I label this PR as >non-issue to avoid it being part of the changelog/release notes.

Resolves: #62744

@ywangd ywangd added >non-issue :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v8.0.0 v7.10.0 labels Sep 24, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authentication)

@elasticmachine elasticmachine added the Team:Security Meta label for security team label Sep 24, 2020
albertzaharovits
albertzaharovits approved these changes Sep 29, 2020
View reviewed changes
Copy link
Contributor

@albertzaharovits albertzaharovits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ywangd ywangd merged commit bfd4eba into elastic:master Sep 29, 2020
ywangd added a commit to ywangd/elasticsearch that referenced this pull request Sep 29, 2020
@ywangd
Use compilation as validation for painless role template (elastic#62845)
79077fb 
Role template validation now performs only compilation if the script is painless.
It no longer attempts to execute the script with empty input which is problematic.
The compliation process will catch things like invalid syntax, undefined variables,
which still provide certain level of protection against ill-defined role templates.
Behaviour for Mustache script is unchanged.
ywangd added a commit that referenced this pull request Sep 29, 2020
@ywangd
Use compilation as validation for painless role template (#62845) (#6…
068f605 
…3010)

* Use compilation as validation for painless role template (#62845)

Role template validation now performs only compilation if the script is painless.
It no longer attempts to execute the script with empty input which is problematic.
The compliation process will catch things like invalid syntax, undefined variables,
which still provide certain level of protection against ill-defined role templates.
Behaviour for Mustache script is unchanged.

* Checkstyle
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@albertzaharovits albertzaharovits albertzaharovits approved these changes

Assignees
No one assigned
Labels
>non-issue :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team v7.10.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Validation of role template scripts is too strict for Painless scripts
4 participants
@ywangd @elasticmachine @albertzaharovits @jakelandis