Skip to content

Create Security Role API allows malformed/invalid query JSON #34252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tsouza opened this issue Oct 3, 2018 · 1 comment · Fixed by #46275
Closed

Create Security Role API allows malformed/invalid query JSON #34252

tsouza opened this issue Oct 3, 2018 · 1 comment · Fixed by #46275
Assignees
@bizybot
Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC

Comments

@tsouza
Copy link

tsouza commented Oct 3, 2018
edited
Loading

Elasticsearch version (bin/elasticsearch --version):
Version: 6.4.1, Build: default/tar/e36acdb/2018-09-13T22:18:07.696808Z, JVM: 10.0.1
Version: 6.3.0, Build: default/tar/424e937/2018-06-11T23:38:03.357887Z, JVM: 10.0.1

Plugins installed: []

JVM version (java -version):

java version "10.0.1" 2018-04-17
Java(TM) SE Runtime Environment 18.3 (build 10.0.1+10)
Java HotSpot(TM) 64-Bit Server VM 18.3 (build 10.0.1+10, mixed mode)

OS version (uname -a if on a Unix-like system):

Darwin ElasticMBP 17.7.0 Darwin Kernel Version 17.7.0: Thu Jun 21 22:53:14 PDT 2018; root:xnu-4570.71.2~1/RELEASE_X86_64 x86_64

Description of the problem including expected versus actual behavior:

The Create or update roles API will allow defining a malformed/invalid query JSON in it's query attribute definition. Any query that is executed by a user with a role that has a malformed/invalid JSON in query attribute will always fail.

The expected is that the attempt to create a role should always fail if it defines a malformed/invalid JSON in it's query attribute.

Additionally, the same is observed if a query attribute is defined with a correct JSON syntax but it's an invalid/unknown Elasticsearch query .

Note: This has been observed both in 6.3.0 and 6.4.1

Steps to reproduce:

  1. Create a role with a malformed/invalid JSON in it's query attribute:
POST /_xpack/security/role/test
{
  "indices" : [
    {
      "names" : [ "test-*" ],
      "privileges" : [ "read" ],
      "query": "{ malformed JSON }"
    }
  ]
}

Elasticsearch will accept the role definition and respond with:

{
  "role": {
    "created": true
  }
}
  1. Create a user with the role:
POST _xpack/security/user/test
{
  "password": "123456",
  "roles": [ "test" ]
}
  1. Index some test document:
POST test-1/doc
{
  "test": "doc"
}
  1. Test a search with user test. The search will fail since the resulting query is invalid:
$ curl -u test:123456 localhost:9200/test-1/_search
{"error":{"root_cause":[{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@49bcb51e; line: 1, column: 4]"},{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@52014fcf; line: 1, column: 4]"},{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@56e9f409; line: 1, column: 4]"},{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@34d339df; line: 1, column: 4]"},{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@32068a2e; line: 1, column: 4]"}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"test-1","node":"tZDWdiboSy2tuPtyrL4nUQ","reason":{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@49bcb51e; line: 1, column: 4]","caused_by":{"type":"json_parse_exception","reason":"Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@49bcb51e; line: 1, column: 4]"}}},{"shard":1,"index":"test-1","node":"tZDWdiboSy2tuPtyrL4nUQ","reason":{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@52014fcf; line: 1, column: 4]","caused_by":{"type":"json_parse_exception","reason":"Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@52014fcf; line: 1, column: 4]"}}},{"shard":2,"index":"test-1","node":"tZDWdiboSy2tuPtyrL4nUQ","reason":{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@56e9f409; line: 1, column: 4]","caused_by":{"type":"json_parse_exception","reason":"Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@56e9f409; line: 1, column: 4]"}}},{"shard":3,"index":"test-1","node":"tZDWdiboSy2tuPtyrL4nUQ","reason":{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@34d339df; line: 1, column: 4]","caused_by":{"type":"json_parse_exception","reason":"Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@34d339df; line: 1, column: 4]"}}},{"shard":4,"index":"test-1","node":"tZDWdiboSy2tuPtyrL4nUQ","reason":{"type":"exception","reason":"com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@32068a2e; line: 1, column: 4]","caused_by":{"type":"json_parse_exception","reason":"Unexpected character ('m' (code 109)): was expecting double-quote to start field name\n at [Source: java.io.StringReader@32068a2e; line: 1, column: 4]"}}}]},"status":500}

Provide logs (if relevant):

[2018-10-02T21:11:59,619][WARN ][r.suppressed             ] path: /test-1/_search, params: {index=test-1}
org.elasticsearch.action.search.SearchPhaseExecutionException: all shards failed
	at org.elasticsearch.action.search.AbstractSearchAsyncAction.onPhaseFailure(AbstractSearchAsyncAction.java:293) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.AbstractSearchAsyncAction.executeNextPhase(AbstractSearchAsyncAction.java:133) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.AbstractSearchAsyncAction.onPhaseDone(AbstractSearchAsyncAction.java:254) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.InitialSearchPhase.onShardFailure(InitialSearchPhase.java:101) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.InitialSearchPhase.access$100(InitialSearchPhase.java:48) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.InitialSearchPhase$2.lambda$onFailure$1(InitialSearchPhase.java:222) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.InitialSearchPhase.maybeFork(InitialSearchPhase.java:176) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.InitialSearchPhase.access$000(InitialSearchPhase.java:48) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.InitialSearchPhase$2.onFailure(InitialSearchPhase.java:222) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.SearchExecutionStatsCollector.onFailure(SearchExecutionStatsCollector.java:73) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.ActionListenerResponseHandler.handleException(ActionListenerResponseHandler.java:51) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.SearchTransportService$ConnectionCountingHandler.handleException(SearchTransportService.java:526) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.transport.TransportService$ContextRestoreResponseHandler.handleException(TransportService.java:1068) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.transport.TransportService$DirectResponseChannel.processException(TransportService.java:1165) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.transport.TransportService$DirectResponseChannel.sendResponse(TransportService.java:1149) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.transport.TaskTransportChannel.sendResponse(TaskTransportChannel.java:66) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.action.search.SearchTransportService$6$1.onFailure(SearchTransportService.java:384) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService$2.onFailure(SearchService.java:341) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService$2.onResponse(SearchService.java:335) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService$2.onResponse(SearchService.java:329) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService$3.doRun(SearchService.java:1019) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:723) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.common.util.concurrent.TimedRunnable.doRun(TimedRunnable.java:41) [elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.4.1.jar:6.4.1]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1135) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
	at java.lang.Thread.run(Thread.java:844) [?:?]
Caused by: org.elasticsearch.ElasticsearchException: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name
 at [Source: java.io.StringReader@49bcb51e; line: 1, column: 4]
	at org.elasticsearch.ExceptionsHelper.convertToElastic(ExceptionsHelper.java:63) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.xpack.core.security.authz.accesscontrol.SecurityIndexSearcherWrapper.wrap(SecurityIndexSearcherWrapper.java:168) ~[?:?]
	at org.elasticsearch.index.shard.IndexSearcherWrapper.wrap(IndexSearcherWrapper.java:76) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.index.shard.IndexShard.acquireSearcher(IndexShard.java:1199) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.index.shard.IndexShard.acquireSearcher(IndexShard.java:1190) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createSearchContext(SearchService.java:616) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createSearchContext(SearchService.java:607) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createContext(SearchService.java:569) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:551) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:347) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService$2.onResponse(SearchService.java:333) ~[elasticsearch-6.4.1.jar:6.4.1]
	... 9 more
Caused by: com.fasterxml.jackson.core.JsonParseException: Unexpected character ('m' (code 109)): was expecting double-quote to start field name
 at [Source: java.io.StringReader@49bcb51e; line: 1, column: 4]
	at com.fasterxml.jackson.core.JsonParser._constructError(JsonParser.java:1702) ~[jackson-core-2.8.10.jar:2.8.10]
	at com.fasterxml.jackson.core.base.ParserMinimalBase._reportError(ParserMinimalBase.java:558) ~[jackson-core-2.8.10.jar:2.8.10]
	at com.fasterxml.jackson.core.base.ParserMinimalBase._reportUnexpectedChar(ParserMinimalBase.java:456) ~[jackson-core-2.8.10.jar:2.8.10]
	at com.fasterxml.jackson.core.json.ReaderBasedJsonParser._handleOddName(ReaderBasedJsonParser.java:1771) ~[jackson-core-2.8.10.jar:2.8.10]
	at com.fasterxml.jackson.core.json.ReaderBasedJsonParser.nextToken(ReaderBasedJsonParser.java:684) ~[jackson-core-2.8.10.jar:2.8.10]
	at org.elasticsearch.common.xcontent.json.JsonXContentParser.nextToken(JsonXContentParser.java:53) ~[elasticsearch-x-content-6.4.1.jar:6.4.1]
	at org.elasticsearch.xpack.core.security.authz.accesscontrol.SecurityIndexSearcherWrapper.evaluateTemplate(SecurityIndexSearcherWrapper.java:268) ~[?:?]
	at org.elasticsearch.xpack.core.security.authz.accesscontrol.SecurityIndexSearcherWrapper.wrap(SecurityIndexSearcherWrapper.java:135) ~[?:?]
	at org.elasticsearch.index.shard.IndexSearcherWrapper.wrap(IndexSearcherWrapper.java:76) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.index.shard.IndexShard.acquireSearcher(IndexShard.java:1199) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.index.shard.IndexShard.acquireSearcher(IndexShard.java:1190) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createSearchContext(SearchService.java:616) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createSearchContext(SearchService.java:607) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createContext(SearchService.java:569) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:551) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:347) ~[elasticsearch-6.4.1.jar:6.4.1]
	at org.elasticsearch.search.SearchService$2.onResponse(SearchService.java:333) ~[elasticsearch-6.4.1.jar:6.4.1]
	... 9 more
@tsouza tsouza added >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Oct 3, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@bizybot bizybot self-assigned this Jun 24, 2019
@bizybot bizybot mentioned this issue Sep 3, 2019
Merged
bizybot pushed a commit to bizybot/elasticsearch that referenced this issue Sep 5, 2019
Validate query field when creating roles
6e1c8b6 
As of now the validation occurs at runtime when the query is being
executed. I think the reason was due to the use of template queries
which need runtime information as they need to be evaluated like
user information.

This commit adds validation for the role query but **not for the
template query** as we do not have the runtime information required
for evaluating the template query.
This also corrects some tests and roles.yml files where the `query` field was not
populated correctly.
For validation, the query is evaluated (if not a template), parsed to build the
`QueryBuilder` and verify if the query type is allowed.

Closes elastic#34252
bizybot added a commit that referenced this issue Sep 25, 2019
@bizybot
Validate query field when creating roles (#46275)
777f4b3 
In the current implementation, the validation of the role query
occurs at runtime when the query is being executed.

This commit adds validation for the role query when creating a role
but not for the template query as we do not have the runtime
information required for evaluating the template query (eg. authenticated user's
information). This is similar to the scripts that we
store but do not evaluate or parse if they are valid queries or not.

For validation, the query is evaluated (if not a template), parsed to build the
QueryBuilder and verify if the query type is allowed.

Closes #34252
bizybot added a commit to bizybot/elasticsearch that referenced this issue Sep 25, 2019
@bizybot
Validate query field when creating roles (elastic#46275)
1e3d3b4 
In the current implementation, the validation of the role query
occurs at runtime when the query is being executed.

This commit adds validation for the role query when creating a role
but not for the template query as we do not have the runtime
information required for evaluating the template query (eg. authenticated user's
information). This is similar to the scripts that we
store but do not evaluate or parse if they are valid queries or not.

For validation, the query is evaluated (if not a template), parsed to build the
QueryBuilder and verify if the query type is allowed.

Closes elastic#34252
@bizybot bizybot mentioned this issue Sep 25, 2019
Merged
bizybot added a commit that referenced this issue Sep 26, 2019
@bizybot
[Backport] Validate query field when creating roles (#46275) (#47094)
9a64b7a 
In the current implementation, the validation of the role query
occurs at runtime when the query is being executed.

This commit adds validation for the role query when creating a role
but not for the template query as we do not have the runtime
information required for evaluating the template query (eg. authenticated user's
information). This is similar to the scripts that we
store but do not evaluate or parse if they are valid queries or not.

For validation, the query is evaluated (if not a template), parsed to build the
QueryBuilder and verify if the query type is allowed.

Closes #34252
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bizybot bizybot

Labels
>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Validate query field when creating roles bizybot/elasticsearch
3 participants
@tsouza @bizybot @elasticmachine