[Security] Include an empty json object in an json array when FLS filters out all fields (#30709)

Prior to this change an json array element with no fields would be omitted from json array.
Nested inner hits source filtering relies on the fact that the json array element numbering
remains untouched and this causes AOOB exceptions in the ES side during the fetch phase
without this change.

Closes #30624
This commit is contained in:
Martijn van Groningen 2018-05-22 13:53:34 +02:00 committed by GitHub
parent e6a784c474
commit 25959ed8cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 3 deletions

View File

@ -193,9 +193,7 @@ public final class FieldSubsetReader extends FilterLeafReader {
continue; continue;
} }
Map<String, Object> filteredValue = filter((Map<String, ?>)value, includeAutomaton, state); Map<String, Object> filteredValue = filter((Map<String, ?>)value, includeAutomaton, state);
if (filteredValue.isEmpty() == false) { filtered.add(filteredValue);
filtered.add(filteredValue);
}
} else if (value instanceof Iterable) { } else if (value instanceof Iterable) {
List<Object> filteredValue = filter((Iterable<?>) value, includeAutomaton, initialState); List<Object> filteredValue = filter((Iterable<?>) value, includeAutomaton, initialState);
if (filteredValue.isEmpty() == false) { if (filteredValue.isEmpty() == false) {

View File

@ -716,6 +716,22 @@ public class FieldSubsetReaderTests extends ESTestCase {
expected.put("foo", subArray); expected.put("foo", subArray);
assertEquals(expected, filtered); assertEquals(expected, filtered);
// json array objects that have no matching fields should be left empty instead of being removed:
// (otherwise nested inner hit source filtering fails with AOOB)
map = new HashMap<>();
map.put("foo", "value");
List<Map<?, ?>> values = new ArrayList<>();
values.add(Collections.singletonMap("foo", "1"));
values.add(Collections.singletonMap("baz", "2"));
map.put("bar", values);
include = new CharacterRunAutomaton(Automatons.patterns("bar.baz"));
filtered = FieldSubsetReader.filter(map, include, 0);
expected = new HashMap<>();
expected.put("bar", Arrays.asList(new HashMap<>(), Collections.singletonMap("baz", "2")));
assertEquals(expected, filtered);
} }
/** /**