From ba7913d1128d6d0d1b5805c8961240da5d6e1cf4 Mon Sep 17 00:00:00 2001 From: Alexander Spies Date: Fri, 7 Jun 2024 18:21:06 +0200 Subject: [PATCH] Add yaml tests --- .../test/search/330_disallow_scripts.yml | 206 ++++++++++++++++++ .../elasticsearch/search/SearchModule.java | 5 - 2 files changed, 206 insertions(+), 5 deletions(-) create mode 100644 rest-api-spec/src/yamlRestTest/resources/rest-api-spec/test/search/330_disallow_scripts.yml diff --git a/rest-api-spec/src/yamlRestTest/resources/rest-api-spec/test/search/330_disallow_scripts.yml b/rest-api-spec/src/yamlRestTest/resources/rest-api-spec/test/search/330_disallow_scripts.yml new file mode 100644 index 0000000000000..6a9bd279f6096 --- /dev/null +++ b/rest-api-spec/src/yamlRestTest/resources/rest-api-spec/test/search/330_disallow_scripts.yml @@ -0,0 +1,206 @@ +# TODO: test also saved scripts +setup: + - do: + indices.create: + index: test_index + body: + mappings: + properties: + some_value: + type: long + - do: + bulk: + index: test_index + refresh: true + body: + - '{"index": {}}' + - '{"some_value": 1}' + - '{"index": {}}' + - '{"some_value": 2}' + - '{"index": {}}' + - '{"some_value": 3}' +--- +"all scripts allowed by default": + - do: + search: + index: test_index + size: 0 + body: + aggs: + some_of_values: + scripted_metric: + init_script: 'state.transactions = []' + map_script: 'state.transactions.add(doc.some_value.value)' + combine_script: 'long sum = 0; for (t in state.transactions) { sum += t } return sum' + reduce_script: 'long sum = 0; for (a in states) { sum += a } return sum' + + - match: { hits.total.value: 3 } + - match: { aggregations.some_of_values.value: 6} + + - do: + cluster.put_settings: + body: > + { + "persistent": { + "search.aggs.allowed_metric_scripts": [] + } + } + + - do: + search: + index: test_index + size: 0 + body: + aggs: + some_of_values: + scripted_metric: + init_script: 'state.transactions = []' + map_script: 'state.transactions.add(doc.some_value.value)' + combine_script: 'long sum = 0; for (t in state.transactions) { sum += t } return sum' + reduce_script: 'long sum = 0; for (a in states) { sum += a } return sum' + + - match: { hits.total.value: 3 } + - match: { aggregations.some_of_values.value: 6} +--- +"explicitly allowed scripts work": + - do: + cluster.put_settings: + body: > + { + "persistent": { + "search.aggs.allowed_metric_scripts": [ + "state.transactions = []", + "state.transactions.add(doc.some_value.value)", + "long sum = 0; for (t in state.transactions) { sum += t } return sum", + "long sum = 0; for (a in states) { sum += a } return sum" + ] + } + } + + - do: + search: + index: test_index + size: 0 + body: + aggs: + some_of_values: + scripted_metric: + init_script: 'state.transactions = []' + map_script: 'state.transactions.add(doc.some_value.value)' + combine_script: 'long sum = 0; for (t in state.transactions) { sum += t } return sum' + reduce_script: 'long sum = 0; for (a in states) { sum += a } return sum' + + - match: { hits.total.value: 3 } + - match: { aggregations.some_of_values.value: 6} +--- +"init_script must be allowed": + - do: + cluster.put_settings: + body: > + { + "persistent": { + "search.aggs.allowed_metric_scripts": [ + "state.transactions.add(doc.some_value.value)", + "long sum = 0; for (t in state.transactions) { sum += t } return sum", + "long sum = 0; for (a in states) { sum += a } return sum" + ] + } + } + + - do: + catch: '/type=illegal_argument_exception, reason=\[init_script\] contains not allowed script: \[some_of_values\]/' + search: + index: test_index + size: 0 + body: + aggs: + some_of_values: + scripted_metric: + init_script: 'state.transactions = []' + map_script: 'state.transactions.add(doc.some_value.value)' + combine_script: 'long sum = 0; for (t in state.transactions) { sum += t } return sum' + reduce_script: 'long sum = 0; for (a in states) { sum += a } return sum' +--- +"map_script must be allowed": + - do: + cluster.put_settings: + body: > + { + "persistent": { + "search.aggs.allowed_metric_scripts": [ + "state.transactions = []", + "long sum = 0; for (t in state.transactions) { sum += t } return sum", + "long sum = 0; for (a in states) { sum += a } return sum" + ] + } + } + + - do: + catch: '/type=illegal_argument_exception, reason=\[map_script\] contains not allowed script: \[some_of_values\]/' + search: + index: test_index + size: 0 + body: + aggs: + some_of_values: + scripted_metric: + init_script: 'state.transactions = []' + map_script: 'state.transactions.add(doc.some_value.value)' + combine_script: 'long sum = 0; for (t in state.transactions) { sum += t } return sum' + reduce_script: 'long sum = 0; for (a in states) { sum += a } return sum' +--- +"combine_script must be allowed": + - do: + cluster.put_settings: + body: > + { + "persistent": { + "search.aggs.allowed_metric_scripts": [ + "state.transactions = []", + "state.transactions.add(doc.some_value.value)", + "long sum = 0; for (a in states) { sum += a } return sum" + ] + } + } + + - do: + catch: '/type=illegal_argument_exception, reason=\[combine_script\] contains not allowed script: \[some_of_values\]/' + search: + index: test_index + size: 0 + body: + aggs: + some_of_values: + scripted_metric: + init_script: 'state.transactions = []' + map_script: 'state.transactions.add(doc.some_value.value)' + combine_script: 'long sum = 0; for (t in state.transactions) { sum += t } return sum' + reduce_script: 'long sum = 0; for (a in states) { sum += a } return sum' +--- +"reduce_script must be allowed": + - do: + cluster.put_settings: + body: > + { + "persistent": { + "search.aggs.allowed_metric_scripts": [ + "state.transactions = []", + "state.transactions.add(doc.some_value.value)", + "long sum = 0; for (t in state.transactions) { sum += t } return sum" + ] + } + } + + - do: + catch: '/type=illegal_argument_exception, reason=\[reduce_script\] contains not allowed script: \[some_of_values\]/' + search: + index: test_index + size: 0 + body: + aggs: + some_of_values: + scripted_metric: + init_script: 'state.transactions = []' + map_script: 'state.transactions.add(doc.some_value.value)' + combine_script: 'long sum = 0; for (t in state.transactions) { sum += t } return sum' + reduce_script: 'long sum = 0; for (a in states) { sum += a } return sum' diff --git a/server/src/main/java/org/elasticsearch/search/SearchModule.java b/server/src/main/java/org/elasticsearch/search/SearchModule.java index da7c7c12df0e8..1913682af6f36 100644 --- a/server/src/main/java/org/elasticsearch/search/SearchModule.java +++ b/server/src/main/java/org/elasticsearch/search/SearchModule.java @@ -294,12 +294,7 @@ public class SearchModule { public static final Setting> SCRIPTED_METRICS_AGG_ALLOWED_SCRIPTS_SETTING = Setting.stringListSetting( "search.aggs.allowed_metric_scripts", Setting.Property.NodeScope, - // TODO: remove, only for testing Setting.Property.Dynamic - // TODO: Potentially we could also the following, but that prevented - // ./gradlew run - // from working (node dies while waiting on ports). - // Setting.Property.Consistent ); /**