Limit the depth of nested queries #55303

jimczi · 2020-04-16T12:32:00Z

Today we rely on recursion to parse, rewrite and create query builders that contains nested queries. This recursion can lead to stack overflow errors, for instance when dealing with a bool query that contains a chain of nested bool queries:

{
	"bool": {
		"should": {
			"boold": {
				"should": {
					"bool": {
						"should": {
							"bool": {
								"should": {
									...

These queries, usually created by mistake by a script, can have a negative impact on the cluster if they are not detected early.
We should have a mechanism to detect them and throw a comprehensive error when we see one in search or when trying to save a query.

The text was updated successfully, but these errors were encountered:

elasticmachine · 2020-04-16T12:32:02Z

Pinging @elastic/es-search (:Search/Search)

zacharymorn · 2020-05-03T22:06:59Z

Not sure if this solution would work:

Define a depth limit system property for admin of cluster to set
Change query processing method signatures to include depth accumulator
At recursive call, caller add 1 to accumulator
Upon entry to callee method, check accumulator against depth limit, and throw exception if exceeded

limit the depth of nested bool queries Introduce a new node level setting `indices.query.bool.max_nested_depth` that controls the depth of nested bool queries. Throw an error if a nested depth of a bool query exceeds the maximum allowed nested depth. Closes #55303

Limit the depth of nested bool queries Introduce a new node level setting indices.query.bool.max_nested_depth that controls the depth of nested bool queries. Throw an error if a nested depth of a bool query exceeds the maximum allowed nested depth. Backport #66204 closes #55303

resolves elastic#88367 Prior to this PR, the KQL node_builder code was using recursion to generate "and" & "or" expressions. Eg, `and(foo1=bar1, foo2=bar2, foo3=bar3)` would be generated as if was specified as `and(foo1=bar1, and(foo2=bar2, foo3=bar3))`. Calls to the builder with long lists of expressions would generate nested JSON as deep as the lists are long. This is problematic, as Elasticsearch is changing the default limit on nested bools to 20 levels, and alerting already generates nested bools greater than that limit. See: elastic/elasticsearch#55303 This PR changes the generated shape of above, so that all the nodes are at the same level, instead of the previous "recursive" treatment.

…es (#89345) resolves #88367 Prior to this PR, the KQL node_builder code was using recursion to generate "and" & "or" expressions. Eg, `and(foo1=bar1, foo2=bar2, foo3=bar3)` would be generated as if was specified as `and(foo1=bar1, and(foo2=bar2, foo3=bar3))`. Calls to the builder with long lists of expressions would generate nested JSON as deep as the lists are long. This is problematic, as Elasticsearch is changing the default limit on nested bools to 20 levels, and alerting already generates nested bools greater than that limit. See: elastic/elasticsearch#55303 This PR changes the generated shape of above, so that all the nodes are at the same level, instead of the previous "recursive" treatment.

…es (elastic#89345) resolves elastic#88367 Prior to this PR, the KQL node_builder code was using recursion to generate "and" & "or" expressions. Eg, `and(foo1=bar1, foo2=bar2, foo3=bar3)` would be generated as if was specified as `and(foo1=bar1, and(foo2=bar2, foo3=bar3))`. Calls to the builder with long lists of expressions would generate nested JSON as deep as the lists are long. This is problematic, as Elasticsearch is changing the default limit on nested bools to 20 levels, and alerting already generates nested bools greater than that limit. See: elastic/elasticsearch#55303 This PR changes the generated shape of above, so that all the nodes are at the same level, instead of the previous "recursive" treatment.

…es (#89345) (#89890) resolves #88367 Prior to this PR, the KQL node_builder code was using recursion to generate "and" & "or" expressions. Eg, `and(foo1=bar1, foo2=bar2, foo3=bar3)` would be generated as if was specified as `and(foo1=bar1, and(foo2=bar2, foo3=bar3))`. Calls to the builder with long lists of expressions would generate nested JSON as deep as the lists are long. This is problematic, as Elasticsearch is changing the default limit on nested bools to 20 levels, and alerting already generates nested bools greater than that limit. See: elastic/elasticsearch#55303 This PR changes the generated shape of above, so that all the nodes are at the same level, instead of the previous "recursive" treatment.

jimczi added >bug :Search/Search Search-related issues that do not fall into other categories labels Apr 16, 2020

rjernst added the Team:Search Meta label for search team label May 4, 2020

jimczi mentioned this issue Nov 20, 2020

java.lang.StackOverflowError for the entire cluster #64283

Closed

chengyang14 mentioned this issue Dec 11, 2020

limit the depth of nested bool queries #66204

Merged

mayya-sharipova closed this as completed in #66204 Jan 12, 2021

gmmorris mentioned this issue Jan 14, 2021

[Alerting] Alerting RBAC relies on complex queries that exceed the default max depth of nested bool queries elastic/kibana#88367

Closed

pmuellr mentioned this issue Jan 26, 2021

[data] change KQL node builder to not generate recursive and/or clauses elastic/kibana#89345

Merged

9 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Limit the depth of nested queries #55303

Limit the depth of nested queries #55303

jimczi commented Apr 16, 2020

elasticmachine commented Apr 16, 2020

zacharymorn commented May 3, 2020

Limit the depth of nested queries #55303

Limit the depth of nested queries #55303

Comments

jimczi commented Apr 16, 2020

elasticmachine commented Apr 16, 2020

zacharymorn commented May 3, 2020