honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Search: Validate script query is run with a single script (#29304) 

The parsing code for script query currently silently skips by any tokens
it does not know about within its parsing loop. The only token it does
not catch is an array, which means pasing multiple scripts in via an
array will cause the last script to be parsed and one, silently dropping
the others. This commit adds validation that arrays are not seen while
parsing.
This commit is contained in:
Ryan Ernst 2018-03-29 22:10:03 -07:00 committed by GitHub
parent 5518640d46
commit 54f8f819ef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
server/src/main/java/org/elasticsearch/index/query/ScriptQueryBuilder.java
View File

@ -111,6 +111,12 @@ public class ScriptQueryBuilder extends AbstractQueryBuilder<ScriptQueryBuilder>
} else {
throw new ParsingException(parser.getTokenLocation(), "[script] query does not support [" + currentFieldName + "]");
}
} else {
if (token != XContentParser.Token.START_ARRAY) {
throw new AssertionError("Impossible token received: " + token.name());
}
throw new ParsingException(parser.getTokenLocation(),
"[script] query does not support an array of scripts. Use a bool query with a clause per script instead.");
}
}

22
server/src/test/java/org/elasticsearch/index/query/ScriptQueryBuilderTests.java
View File

@ -20,7 +20,7 @@
package org.elasticsearch.index.query;
import org.apache.lucene.search.Query;
import org.elasticsearch.index.query.ScriptQueryBuilder.ScriptQuery;
import org.elasticsearch.common.ParsingException;
import org.elasticsearch.script.MockScriptEngine;
import org.elasticsearch.script.Script;
import org.elasticsearch.script.ScriptType;
@ -32,6 +32,7 @@ import java.util.Collections;
import java.util.Map;
import java.util.Set;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.instanceOf;
public class ScriptQueryBuilderTests extends AbstractQueryTestCase<ScriptQueryBuilder> {
@ -89,6 +90,25 @@ public class ScriptQueryBuilderTests extends AbstractQueryTestCase<ScriptQueryBu
assertEquals(json, "5", parsed.script().getIdOrCode());
}
public void testArrayOfScriptsException() {
String json =
"{\n" +
" \"script\" : {\n" +
" \"script\" : [ {\n" +
" \"source\" : \"5\",\n" +
" \"lang\" : \"mockscript\"\n" +
" },\n" +
" {\n" +
" \"source\" : \"6\",\n" +
" \"lang\" : \"mockscript\"\n" +
" }\n ]" +
" }\n" +
"}";
ParsingException e = expectThrows(ParsingException.class, () -> parseQuery(json));
assertThat(e.getMessage(), containsString("does not support an array of scripts"));
}
@Override
protected Set<String> getObjectsHoldingArbitraryContent() {
//script_score.script.params can contain arbitrary parameters. no error is expected when