Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set a maximum depth for nested queries #3268

Closed
kkhatua opened this issue May 10, 2022 · 9 comments · Fixed by #11670
Closed

Set a maximum depth for nested queries #3268

kkhatua opened this issue May 10, 2022 · 9 comments · Fixed by #11670
Assignees
Labels
enhancement Enhancement or improvement to existing feature or request good first issue Good for newcomers hacktoberfest Global event that encourages people to contribute to open-source. Search:Resiliency v2.13.0 Issues and PRs related to version 2.13.0 v3.0.0 Issues and PRs related to version 3.0.0

Comments

@kkhatua
Copy link
Member

kkhatua commented May 10, 2022

Is your feature request related to a problem? Please describe.
A recent review of the dependency libraries showed that CVE-2020-36518 (jackson-databind) can lead to creation of a large depth of nested objects and potentially cause a stack overflow.

Describe the solution you'd like
While the immediate fix is upgrading the affected library to a patched version of the library (#2599) we need to constrain this depth in general. This would be the fastest mitigation to protect against other possible vulnerabilities that can be exploited like this through other means, or even by accidental generation through a script.

Describe alternatives you've considered
None. Introduction of a max limit (cluster level setting) would be sufficient to address the issue in general, in context of exploits and in the context of rogue queries generated by accident.

Additional context
None

@kkhatua kkhatua added enhancement Enhancement or improvement to existing feature or request untriaged labels May 10, 2022
@dblock
Copy link
Member

dblock commented May 10, 2022

Since #2599 was merged and backported to 2.x, 1.x (please check whether it was released as part of 1.3.2 and 2.0-rc1), do I correctly understand that while we don't have to add a limit for this particular problem, we want it for general hygiene to avoid similar issues in the future?

@kkhatua
Copy link
Member Author

kkhatua commented May 10, 2022

Since #2599 was merged and backported to 2.x, 1.x (please check whether it was released as part of 1.3.2 and 2.0-rc1), do I correctly understand that while we don't have to add a limit for this particular problem, we want it for general hygiene to avoid similar issues in the future?

Yes, that is correct. Having a parameter-based limit allows for mitigating the risk.

@dblock dblock added the good first issue Good for newcomers label May 10, 2022
@warmachinesocial
Copy link

Hi team, I'm very new this project and I would like to ask you if you could tell the best way to begin and get to know general overview of it (architecture). I didn't jackson was a parser for java until now, I would like to ask on jackson-databind what is really is? I did some googling but don't know about the underneath of the library

@Poojita-Raj Poojita-Raj added the hacktoberfest Global event that encourages people to contribute to open-source. label Sep 29, 2022
@divyam-agarwal
Copy link

Hi, I would like to take this up. Could you please assign me this issue?

@anasalkouz
Copy link
Member

Hi @divyam-agarwal, it has been a while since your last comment, are you actively working on this?

@MansiShinde
Copy link

Hi @sejli, I would like to take up this issue as a part of OSCI. Could you please assign it to me? Thanks!

@mkhludnev
Copy link
Contributor

mkhludnev commented Dec 23, 2023

Q: Should we also check depth of nested scopes in mapping? documents?
A: ok. already have index.mapping.nested_objects.limit, index.mapping.nested_objects.limit

@mkhludnev
Copy link
Contributor

Please have a look at #11670 There are no docs, and I'm hesitating about naming.

mkhludnev added a commit to mkhludnev/OpenSearch that referenced this issue Jan 3, 2024
Signed-off-by: Mikhail Khludnev <mkhl@apache.org>
@mkhludnev
Copy link
Contributor

mkhludnev commented Feb 3, 2024

@reta reta added v3.0.0 Issues and PRs related to version 3.0.0 v2.13.0 Issues and PRs related to version 2.13.0 labels Feb 10, 2024
reta pushed a commit that referenced this issue Feb 10, 2024
* Introduce index.query.max_nested_depth. fix #3268

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

* min index.query.max_nested_depth=1

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

* CHANGELOG.md

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

* keep lines as they were

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

---------

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>
Signed-off-by: Mikhail Khludnev <mkhludnev@users.noreply.github.com>
Co-authored-by: Mikhail Khludnev <gedel@yandex.ru>
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in Search Project Board Feb 10, 2024
peteralfonsi pushed a commit to peteralfonsi/OpenSearch that referenced this issue Mar 1, 2024
…pensearch-project#11670)

* Introduce index.query.max_nested_depth. fix opensearch-project#3268

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

* min index.query.max_nested_depth=1

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

* CHANGELOG.md

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

* keep lines as they were

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

---------

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>
Signed-off-by: Mikhail Khludnev <mkhludnev@users.noreply.github.com>
Co-authored-by: Mikhail Khludnev <gedel@yandex.ru>
rayshrey pushed a commit to rayshrey/OpenSearch that referenced this issue Mar 18, 2024
…pensearch-project#11670)

* Introduce index.query.max_nested_depth. fix opensearch-project#3268

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

* min index.query.max_nested_depth=1

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

* CHANGELOG.md

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

* keep lines as they were

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

---------

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>
Signed-off-by: Mikhail Khludnev <mkhludnev@users.noreply.github.com>
Co-authored-by: Mikhail Khludnev <gedel@yandex.ru>
shiv0408 pushed a commit to Gaurav614/OpenSearch that referenced this issue Apr 25, 2024
…pensearch-project#11670)

* Introduce index.query.max_nested_depth. fix opensearch-project#3268

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

* min index.query.max_nested_depth=1

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

* CHANGELOG.md

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

* keep lines as they were

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>

---------

Signed-off-by: Mikhail Khludnev <mkhl@apache.org>
Signed-off-by: Mikhail Khludnev <mkhludnev@users.noreply.github.com>
Co-authored-by: Mikhail Khludnev <gedel@yandex.ru>
Signed-off-by: Shivansh Arora <hishiv@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Enhancement or improvement to existing feature or request good first issue Good for newcomers hacktoberfest Global event that encourages people to contribute to open-source. Search:Resiliency v2.13.0 Issues and PRs related to version 2.13.0 v3.0.0 Issues and PRs related to version 3.0.0
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

10 participants