Scripting: enable regular expressions by default (#63029) #63272

stu-elastic · 2020-10-05T17:38:37Z

Setting script.painless.regex.enabled has a new option,
use-factor, the default. This defaults to using regular
expressions but limiting the complexity of the regular
expressions.

In addition to use-factor, the setting can be true, as
before, which enables regular expressions without limiting them.

false totally disables regular expressions, which was the
old default.
New setting script.painless.regex.limit-factor. This limits
regular expression complexity by limiting the number characters
a regular expression can consider based on input length.

The default is 6, so a regular expression can consider
6 * input length number of characters. With input
foobarbaz (length 9), for example, the regular expression
can consider 54 (6 * 9) characters.

This reduces the impact of exponential backtracking in Java's
regular expression engine.
add @inject_constant annotation to whitelist.

This annotation signals that a compiler settings will
be injected at the beginning of a whitelisted method.

The format is argnum=settingname:
1=foo_setting 2=bar_setting.

Argument numbers must start at one and must be sequential.
Augment
Pattern.split(CharSequence)
Pattern.split(CharSequence, int),
Pattern.splitAsStream(CharSequence)
Pattern.matcher(CharSequence)
to take the value of script.painless.regex.limit-factor as a
an injected parameter, limiting as explained above when this
setting is in use.

Fixes: #49873
Backport of: 93f29a4

* Setting `script.painless.regex.enabled` has a new option, `use-factor`, the default. This defaults to using regular expressions but limiting the complexity of the regular expressions. In addition to `use-factor`, the setting can be `true`, as before, which enables regular expressions without limiting them. `false` totally disables regular expressions, which was the old default. * New setting `script.painless.regex.limit-factor`. This limits regular expression complexity by limiting the number characters a regular expression can consider based on input length. The default is `6`, so a regular expression can consider `6` * input length number of characters. With input `foobarbaz` (length `9`), for example, the regular expression can consider `54` (`6 * 9`) characters. This reduces the impact of exponential backtracking in Java's regular expression engine. * add `@inject_constant` annotation to whitelist. This annotation signals that a compiler settings will be injected at the beginning of a whitelisted method. The format is `argnum=settingname`: `1=foo_setting 2=bar_setting`. Argument numbers must start at one and must be sequential. * Augment `Pattern.split(CharSequence)` `Pattern.split(CharSequence, int)`, `Pattern.splitAsStream(CharSequence)` `Pattern.matcher(CharSequence)` to take the value of `script.painless.regex.limit-factor` as a an injected parameter, limiting as explained above when this setting is in use. Fixes: elastic#49873

elasticmachine · 2020-10-05T17:38:39Z

Pinging @elastic/es-core-infra (:Core/Infra/Scripting)

stu-elastic added 2 commits October 5, 2020 12:20

Replace repeat

2860849

stu-elastic added :Core/Infra/Scripting Scripting abstractions, Painless, and Mustache backport v7.10.0 labels Oct 5, 2020

elasticmachine added the Team:Core/Infra Meta label for core/infra team label Oct 5, 2020

stu-elastic merged commit 791a9d5 into elastic:7.x Oct 5, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Scripting: enable regular expressions by default (#63029) #63272

Scripting: enable regular expressions by default (#63029) #63272

Uh oh!

stu-elastic commented Oct 5, 2020

Uh oh!

elasticmachine commented Oct 5, 2020

Uh oh!

Uh oh!

Scripting: enable regular expressions by default (#63029) #63272

Scripting: enable regular expressions by default (#63029) #63272

Uh oh!

Conversation

stu-elastic commented Oct 5, 2020

Uh oh!

elasticmachine commented Oct 5, 2020

Uh oh!

Uh oh!