From 54f8f819ef3807aa6ab9958ff15957c926bcaec4 Mon Sep 17 00:00:00 2001
From: Ryan Ernst <ryan@iernst.net>
Date: Thu, 29 Mar 2018 22:10:03 -0700
Subject: [PATCH] Search: Validate script query is run with a single script
 (#29304)

The parsing code for script query currently silently skips by any tokens
it does not know about within its parsing loop. The only token it does
not catch is an array, which means pasing multiple scripts in via an
array will cause the last script to be parsed and one, silently dropping
the others. This commit adds validation that arrays are not seen while
parsing.
---
 .../index/query/ScriptQueryBuilder.java       |  6 +++++
 .../index/query/ScriptQueryBuilderTests.java  | 22 ++++++++++++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/server/src/main/java/org/elasticsearch/index/query/ScriptQueryBuilder.java b/server/src/main/java/org/elasticsearch/index/query/ScriptQueryBuilder.java
index 9cae2f3e061..3bb7113d215 100644
--- a/server/src/main/java/org/elasticsearch/index/query/ScriptQueryBuilder.java
+++ b/server/src/main/java/org/elasticsearch/index/query/ScriptQueryBuilder.java
@@ -111,6 +111,12 @@ public class ScriptQueryBuilder extends AbstractQueryBuilder<ScriptQueryBuilder>
                 } else {
                     throw new ParsingException(parser.getTokenLocation(), "[script] query does not support [" + currentFieldName + "]");
                 }
+            } else {
+                if (token != XContentParser.Token.START_ARRAY) {
+                    throw new AssertionError("Impossible token received: " + token.name());
+                }
+                throw new ParsingException(parser.getTokenLocation(),
+                    "[script] query does not support an array of scripts. Use a bool query with a clause per script instead.");
             }
         }
 
diff --git a/server/src/test/java/org/elasticsearch/index/query/ScriptQueryBuilderTests.java b/server/src/test/java/org/elasticsearch/index/query/ScriptQueryBuilderTests.java
index acde2e65e1f..0252468e717 100644
--- a/server/src/test/java/org/elasticsearch/index/query/ScriptQueryBuilderTests.java
+++ b/server/src/test/java/org/elasticsearch/index/query/ScriptQueryBuilderTests.java
@@ -20,7 +20,7 @@
 package org.elasticsearch.index.query;
 
 import org.apache.lucene.search.Query;
-import org.elasticsearch.index.query.ScriptQueryBuilder.ScriptQuery;
+import org.elasticsearch.common.ParsingException;
 import org.elasticsearch.script.MockScriptEngine;
 import org.elasticsearch.script.Script;
 import org.elasticsearch.script.ScriptType;
@@ -32,6 +32,7 @@ import java.util.Collections;
 import java.util.Map;
 import java.util.Set;
 
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.instanceOf;
 
 public class ScriptQueryBuilderTests extends AbstractQueryTestCase<ScriptQueryBuilder> {
@@ -89,6 +90,25 @@ public class ScriptQueryBuilderTests extends AbstractQueryTestCase<ScriptQueryBu
         assertEquals(json, "5", parsed.script().getIdOrCode());
     }
 
+    public void testArrayOfScriptsException() {
+        String json =
+            "{\n" +
+                "  \"script\" : {\n" +
+                "    \"script\" : [ {\n" +
+                "      \"source\" : \"5\",\n" +
+                "      \"lang\" : \"mockscript\"\n" +
+                "    },\n" +
+                "    {\n" +
+                "      \"source\" : \"6\",\n" +
+                "      \"lang\" : \"mockscript\"\n" +
+                "    }\n ]" +
+                "  }\n" +
+                "}";
+
+        ParsingException e = expectThrows(ParsingException.class, () -> parseQuery(json));
+        assertThat(e.getMessage(), containsString("does not support an array of scripts"));
+    }
+
     @Override
     protected Set<String> getObjectsHoldingArbitraryContent() {
         //script_score.script.params can contain arbitrary parameters. no error is expected when