Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2023-23613] When excluding fields also exclude the term + .keyword #2375

Merged
merged 1 commit into from
Jan 5, 2023
Merged

[CVE-2023-23613] When excluding fields also exclude the term + .keyword #2375

merged 1 commit into from
Jan 5, 2023

Conversation

peternied
Copy link
Member

@peternied peternied commented Jan 4, 2023
edited
Loading

Description

There is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their auto-generated .keyword fields.

When excluding fields also exclude the term + .keyword

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@peternied peternied added the v2.5.0 'Issues and PRs related to version v2.5.0' label Jan 4, 2023
@peternied peternied requested a review from a team January 4, 2023 22:44
@peternied peternied added the backport 2.x backport to 2.x branch label Jan 4, 2023
DarshitChanpura
DarshitChanpura reviewed Jan 5, 2023
View reviewed changes
src/main/java/org/opensearch/security/configuration/DlsFlsFilterLeafReader.java
@@ -142,6 +142,7 @@ class DlsFlsFilterLeafReader extends SequentialStoredFieldsLeafReader {

if (firstChar == '!' || firstChar == '~') {
excludesSet.add(incExc.substring(1));
excludesSet.add(incExc.substring(1) + KEYWORD);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For my knowledge: What would this change accomplish?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When documents are parsed fields are mapped to types, for string mappings a keyword field is automatically created. By additional excluding keyword fields if you wanted to block a field actors, we would also block actors.keyword to ensure those field values are not included in queries.

@DarshitChanpura DarshitChanpura merged commit 1ec875c into opensearch-project:main Jan 5, 2023
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jan 5, 2023
@peternied @github-actions
When excluding fields also exclude the term + .keyword (#2375)
11bf47e 
Signed-off-by: Peter Nied <[email protected]>
(cherry picked from commit 1ec875c)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Jan 5, 2023
Merged
@peternied peternied deleted the fls_keyword branch January 6, 2023 21:15
@peternied peternied changed the title When excluding fields also exclude the term + .keyword [CVE-2023-23613] When excluding fields also exclude the term + .keyword Jan 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DarshitChanpura DarshitChanpura DarshitChanpura approved these changes

@cwperks cwperks cwperks approved these changes

Assignees
No one assigned
Labels
backport 2.x backport to 2.x branch v2.5.0 'Issues and PRs related to version v2.5.0'
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@peternied @cwperks @DarshitChanpura