[Security] Include an empty json object in an json array when FLS fil…

…ters out all fields (#30709) Prior to this change an json array element with no fields would be omitted from json array. Nested inner hits source filtering relies on the fact that the json array element numbering remains untouched and this causes AOOB exceptions in the ES side during the fetch phase without this change. Closes #30624
elastic · May 22, 2018 · c0d7aa2 · c0d7aa2
1 parent 7c06712
commit c0d7aa2
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/...ain/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java b/...ain/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReader.java
@@ -193,9 +193,7 @@ private static List<Object> filter(Iterable<?> iterable, CharacterRunAutomaton i
                     continue;
                 }
                 Map<String, Object> filteredValue = filter((Map<String, ?>)value, includeAutomaton, state);
-                if (filteredValue.isEmpty() == false) {
-                    filtered.add(filteredValue);
-                }
+                filtered.add(filteredValue);
             } else if (value instanceof Iterable) {
                 List<Object> filteredValue = filter((Iterable<?>) value, includeAutomaton, initialState);
                 if (filteredValue.isEmpty() == false) {

diff --git a/...ava/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReaderTests.java b/...ava/org/elasticsearch/xpack/core/security/authz/accesscontrol/FieldSubsetReaderTests.java
@@ -716,6 +716,22 @@ public void testSourceFiltering() {
         expected.put("foo", subArray);
 
         assertEquals(expected, filtered);
+
+        // json array objects that have no matching fields should be left empty instead of being removed:
+        // (otherwise nested inner hit source filtering fails with AOOB)
+        map = new HashMap<>();
+        map.put("foo", "value");
+        List<Map<?, ?>> values = new ArrayList<>();
+        values.add(Collections.singletonMap("foo", "1"));
+        values.add(Collections.singletonMap("baz", "2"));
+        map.put("bar", values);
+
+        include = new CharacterRunAutomaton(Automatons.patterns("bar.baz"));
+        filtered = FieldSubsetReader.filter(map, include, 0);
+
+        expected = new HashMap<>();
+        expected.put("bar", Arrays.asList(new HashMap<>(), Collections.singletonMap("baz", "2")));
+        assertEquals(expected, filtered);
     }
 
     /**