honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove usages for forbidden apis or suppress (elastic/elasticsearch#4850) 

This is related to elastic/elasticsearchelastic/elasticsearch#22964. Methods that could
open socket connections are being made forbidden apis. This commit
either replaces usages with URL.openStream() with a call to
FileSystemUtils.openFileURLStream(URL url) (in the case of a file url)
or adds SuppressForbidden annotations.

Original commit: elastic/x-pack-elasticsearch@93b1b11375
This commit is contained in:
Tim Brooks 2017-02-07 12:38:21 -06:00 committed by GitHub
parent bd04b30acd
commit b59ead91e0
5 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
elasticsearch/src/main/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommand.java
View File

@ -14,6 +14,7 @@ import org.elasticsearch.cli.ExitCodes;
import org.elasticsearch.cli.EnvironmentAwareCommand;
import org.elasticsearch.cli.Terminal;
import org.elasticsearch.cli.UserException;
import org.elasticsearch.common.SuppressForbidden;
import org.elasticsearch.common.io.FileSystemUtils;
import org.elasticsearch.env.Environment;
@ -101,6 +102,7 @@ final class InstallXPackExtensionCommand extends EnvironmentAwareCommand {
}
/** Downloads the extension and returns the file it was downloaded to. */
@SuppressForbidden(reason = "We use openStream to download extensions")
private Path download(Terminal terminal, String extensionURL, Path tmpDir) throws Exception {
terminal.println("-> Downloading " + URLDecoder.decode(extensionURL, "UTF-8"));
URL url = new URL(extensionURL);

2
elasticsearch/src/main/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeRealmMigrateTool.java
View File

@ -25,6 +25,7 @@ import org.elasticsearch.cli.Terminal;
import org.elasticsearch.cli.Terminal.Verbosity;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.SuppressForbidden;
import org.elasticsearch.common.logging.ESLoggerFactory;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
@ -134,6 +135,7 @@ public class ESNativeRealmMigrateTool extends MultiCommand {
terminal.println("users and roles imported.");
}
@SuppressForbidden(reason = "We call connect in doPrivileged and provide SocketPermission")
private String postURL(Settings settings, Environment env, String method, String urlString,
OptionSet options, @Nullable String bodyString) throws Exception {
URI uri = new URI(urlString);

3
elasticsearch/src/test/java/org/elasticsearch/transport/KnownActionsTests.java
View File

@ -7,6 +7,7 @@ package org.elasticsearch.transport;
import org.apache.lucene.util.IOUtils;
import org.elasticsearch.action.Action;
import org.elasticsearch.common.io.FileSystemUtils;
import org.elasticsearch.common.io.PathUtils;
import org.elasticsearch.common.io.Streams;
import org.elasticsearch.common.settings.Settings;
@ -172,7 +173,7 @@ public class KnownActionsTests extends SecurityIntegTestCase {
// its checkWritable was incorrect and it won't work without write permissions.
// if we add the permission, it will open jars r/w, which is too scary! so copy to a safe r-w location.
Path tmp = createTempFile(null, ".jar");
try (InputStream in = codeLocation.openStream()) {
try (InputStream in = FileSystemUtils.openFileURLStream(codeLocation)) {
Files.copy(in, tmp, StandardCopyOption.REPLACE_EXISTING);
}
fileSystem = FileSystems.newFileSystem(new URI("jar:" + tmp.toUri()), Collections.<String,Object>emptyMap());

3
elasticsearch/src/test/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommandTests.java
View File

@ -9,6 +9,7 @@ import org.apache.lucene.util.LuceneTestCase;
import org.elasticsearch.Version;
import org.elasticsearch.cli.MockTerminal;
import org.elasticsearch.cli.UserException;
import org.elasticsearch.common.io.FileSystemUtils;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.test.ESTestCase;
@ -122,7 +123,7 @@ public class InstallXPackExtensionCommandTests extends ESTestCase {
Path extDir = createTempDir();
String extZip = createExtension("fake", extDir);
Path extZipWithSpaces = createTempFile("foo bar", ".zip");
try (InputStream in = new URL(extZip).openStream()) {
try (InputStream in = FileSystemUtils.openFileURLStream(new URL(extZip))) {
Files.copy(in, extZipWithSpaces, StandardCopyOption.REPLACE_EXISTING);
}
installExtension(extZipWithSpaces.toUri().toURL().toString(), home);

2
elasticsearch/src/test/java/org/elasticsearch/xpack/security/transport/filter/IpFilteringIntegrationTests.java
View File

@ -6,6 +6,7 @@
package org.elasticsearch.xpack.security.transport.filter;
import org.elasticsearch.client.Client;
import org.elasticsearch.common.SuppressForbidden;
import org.elasticsearch.common.network.NetworkModule;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
@ -70,6 +71,7 @@ public class IpFilteringIntegrationTests extends SecurityIntegTestCase {
}
}
@SuppressForbidden(reason = "Allow opening socket for test")
private void trySocketConnection(Socket socket, InetSocketAddress address) throws IOException {
logger.info("connecting to {}", address);
SocketAccess.doPrivileged(() -> socket.connect(address, 500));