Sanitize transient headers from thread context

slobodanadamovic · slobodanadamovic · commit 34d021202b29 · 2025-11-25T21:13:01.000+01:00
diff --git a/server/src/main/java/org/elasticsearch/common/util/concurrent/ThreadContext.java b/server/src/main/java/org/elasticsearch/common/util/concurrent/ThreadContext.java
@@ -16,11 +16,13 @@
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.io.stream.Writeable;
+import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.Maps;
 import org.elasticsearch.common.util.set.Sets;
+import org.elasticsearch.core.IOUtils;
 import org.elasticsearch.core.Releasable;
 import org.elasticsearch.core.Tuple;
 import org.elasticsearch.http.HttpTransportSettings;
@@ -773,6 +775,31 @@ public void sanitizeHeaders() {
         // intentionally not storing prior context to avoid restoring unwanted headers
     }
 
+    /**
+     * Removes unneeded transient headers from the thread context. Does not store prior context.
+     */
+    public void sanitizeTransientHeaders() {
+        final ThreadContextStruct originalContext = threadLocal.get();
+        final Map<String, Object> newTransientHeaders = Maps.newMapWithExpectedSize(originalContext.transientHeaders.size());
+        for (var entry : originalContext.transientHeaders.entrySet()) {
+            if (entry.getValue() instanceof SecureString secureString) {
+                IOUtils.closeWhileHandlingException(secureString);
+            } else {
+                newTransientHeaders.put(entry.getKey(), entry.getValue());
+            }
+        }
+
+        final ThreadContextStruct newContext = new ThreadContextStruct(
+            originalContext.requestHeaders,
+            originalContext.responseHeaders,
+            newTransientHeaders,
+            originalContext.isSystemContext,
+            originalContext.warningHeadersSize
+        );
+        threadLocal.set(newContext);
+        // intentionally not storing prior context to avoid restoring unwanted headers
+    }
+
     @FunctionalInterface
     public interface StoredContext extends AutoCloseable, Releasable {
         default void restore() {
diff --git a/server/src/test/java/org/elasticsearch/common/util/concurrent/ThreadContextTests.java b/server/src/test/java/org/elasticsearch/common/util/concurrent/ThreadContextTests.java
@@ -12,6 +12,7 @@
 import org.elasticsearch.common.ReferenceDocs;
 import org.elasticsearch.common.io.stream.BytesStreamOutput;
 import org.elasticsearch.common.logging.HeaderWarning;
+import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.core.Tuple;
 import org.elasticsearch.http.HttpTransportSettings;
@@ -38,6 +39,7 @@
 import static org.hamcrest.Matchers.anEmptyMap;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.hasSize;
@@ -1157,6 +1159,58 @@ public void testSanitizeHeaders() {
         }
     }
 
+    public void testSanitizeTransientHeaders() {
+        final ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
+
+        // add transient headers
+        final SecureString secureString1 = new SecureString("password1".toCharArray());
+        final String regularTransient1 = "string-value";
+        final Integer regularTransient2 = 42;
+        final Object regularTransient3 = new Object();
+        threadContext.putTransient("secure.key1", secureString1);
+        threadContext.putTransient("regular.key1", regularTransient1);
+        threadContext.putTransient("regular.key2", regularTransient2);
+        threadContext.putTransient("regular.key3", regularTransient3);
+
+        // add request and response headers that should be preserved
+        threadContext.putHeader("request-header", "request-value");
+        threadContext.addResponseHeader("response-header", "response-value");
+
+        threadContext.sanitizeTransientHeaders();
+
+        // verify secure string is removed from transient headers and closed
+        assertThat(threadContext.getTransient("secure.key1"), nullValue());
+        expectThrows(IllegalStateException.class, containsString("SecureString has already been closed"), secureString1::getChars);
+
+        // other headers should be unchanged
+        assertThat(threadContext.getTransient("regular.key1"), equalTo(regularTransient1));
+        assertThat(threadContext.getTransient("regular.key2"), equalTo(regularTransient2));
+        assertThat(threadContext.getTransient("regular.key3"), sameInstance(regularTransient3));
+        assertThat(threadContext.getHeader("request-header"), equalTo("request-value"));
+        assertThat(threadContext.getResponseHeaders().get("response-header").getFirst(), equalTo("response-value"));
+    }
+
+    public void testSanitizeTransientHeadersWithOnlySecureStrings() {
+        final ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
+        final SecureString secureString1 = new SecureString("password1".toCharArray());
+        threadContext.putTransient("secure.key1", secureString1);
+
+        threadContext.sanitizeTransientHeaders();
+
+        assertThat(threadContext.getTransient("secure.key1"), nullValue());
+        expectThrows(IllegalStateException.class, containsString("SecureString has already been closed"), secureString1::getChars);
+        assertThat(threadContext.getTransientHeaders(), is(anEmptyMap()));
+    }
+
+    public void testSanitizeTransientHeadersWithEmptyTransients() {
+        final ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
+        assertThat(threadContext.getTransientHeaders(), is(anEmptyMap()));
+
+        threadContext.sanitizeTransientHeaders();
+
+        assertThat(threadContext.getTransientHeaders(), is(anEmptyMap()));
+    }
+
     public void testNewEmptyContext() {
         final var threadContext = new ThreadContext(Settings.EMPTY);
         final var header = randomBoolean() ? randomIdentifier() : randomFrom(HEADERS_TO_COPY);
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java
@@ -100,20 +100,28 @@ public void intercept(RestRequest request, RestChannel channel, RestHandler targ
 
     private void doHandleRequest(RestRequest request, RestChannel channel, RestHandler targetHandler, ActionListener<Boolean> listener) {
         threadContext.sanitizeHeaders();
-        // operator privileges can short circuit to return a non-successful response
-        if (operatorPrivilegesService.checkRest(targetHandler, request, channel, threadContext)) {
-            listener.onResponse(Boolean.TRUE);
-        } else {
-            // The service sends its own response if it returns `false`.
-            // That's kind of ugly, and it would be better if we throw an exception and let the rest controller serialize it as normal
-            listener.onResponse(Boolean.FALSE);
+        try {
+            // operator privileges can short circuit to return a non-successful response
+            if (operatorPrivilegesService.checkRest(targetHandler, request, channel, threadContext)) {
+                listener.onResponse(Boolean.TRUE);
+            } else {
+                // The service sends its own response if it returns `false`.
+                // That's kind of ugly, and it would be better if we throw an exception and let the rest controller serialize it as normal
+                listener.onResponse(Boolean.FALSE);
+            }
+        } finally {
+            threadContext.sanitizeTransientHeaders();
         }
     }
 
     protected void handleException(RestRequest request, Exception e, ActionListener<?> listener) {
-        logger.debug(() -> format("failed for REST request [%s]", request.uri()), e);
-        threadContext.sanitizeHeaders();
-        listener.onFailure(e);
+        try {
+            logger.debug(() -> format("failed for REST request [%s]", request.uri()), e);
+            threadContext.sanitizeHeaders();
+            listener.onFailure(e);
+        } finally {
+            threadContext.sanitizeTransientHeaders();
+        }
     }
 
     // for testing
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/rest/SecurityRestFilterTests.java
@@ -14,6 +14,7 @@
 import org.elasticsearch.action.support.PlainActionFuture;
 import org.elasticsearch.client.internal.node.NodeClient;
 import org.elasticsearch.common.bytes.BytesArray;
+import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.http.HttpChannel;
@@ -346,5 +347,82 @@ public void maybeInterceptRequest(ThreadContext threadContext, TransportRequest
         }
     }
 
+    public void testSanitizeTransientHeaders() throws Exception {
+        for (boolean failRequest : List.of(true, false)) {
+            RestRequest request = mock(RestRequest.class);
+            when(request.getHttpChannel()).thenReturn(mock(HttpChannel.class));
+            HttpRequest httpRequest = mock(HttpRequest.class);
+            when(request.getHttpRequest()).thenReturn(httpRequest);
+            Authentication authentication = AuthenticationTestHelper.builder().build();
+            doAnswer((i) -> {
+                @SuppressWarnings("unchecked")
+                ActionListener<Authentication> callback = (ActionListener<Authentication>) i.getArguments()[1];
+                if (failRequest) {
+                    callback.onFailure(new RuntimeException());
+                } else {
+                    callback.onResponse(authentication);
+                }
+                return Void.TYPE;
+            }).when(authcService).authenticate(eq(httpRequest), anyActionListener());
+
+            final SecureString secureString = new SecureString("password".toCharArray());
+            threadContext.putTransient("secure.key", secureString);
+
+            PlainActionFuture<Boolean> future = new PlainActionFuture<>() {
+                @Override
+                public void onResponse(Boolean result) {
+                    assertThat(threadContext.getTransient("secure.key"), equalTo(secureString));
+                    super.onResponse(result);
+                }
+
+                @Override
+                public void onFailure(Exception e) {
+                    assertThat(threadContext.getTransient("secure.key"), equalTo(secureString));
+                    super.onFailure(e);
+                }
+            };
+            filter.intercept(request, channel, restHandler, future);
+            assertThat(future.get(), is(Boolean.TRUE));
+
+            // verify SecureString instance is removed and closed
+            assertThat(threadContext.getTransient("secure.key"), nullValue());
+            expectThrows(IllegalStateException.class, containsString("SecureString has already been closed"), secureString::getChars);
+        }
+    }
+
+    public void testSanitizeTransientHeadersAfterException() throws Exception {
+        RestRequest request = mock(RestRequest.class);
+        when(request.getHttpChannel()).thenReturn(mock(HttpChannel.class));
+        HttpRequest httpRequest = mock(HttpRequest.class);
+        when(request.getHttpRequest()).thenReturn(httpRequest);
+
+        final ElasticsearchSecurityException testException = new ElasticsearchSecurityException("test exception");
+        doAnswer((i) -> {
+            @SuppressWarnings("unchecked")
+            ActionListener<Authentication> callback = (ActionListener<Authentication>) i.getArguments()[1];
+            callback.onFailure(testException);
+            return Void.TYPE;
+        }).when(authcService).authenticate(eq(httpRequest), anyActionListener());
+
+        final SecureString secureString = new SecureString("password".toCharArray());
+        threadContext.putTransient("secure.key", secureString);
+
+        PlainActionFuture<Boolean> future = new PlainActionFuture<>() {
+            @Override
+            public void onResponse(Boolean result) {
+                assertThat(threadContext.getTransient("secure.key"), equalTo(secureString));
+                throw testException;
+            }
+        };
+        filter.intercept(request, channel, restHandler, future);
+
+        var ese = expectThrows(ElasticsearchSecurityException.class, future::actionGet);
+        assertThat(ese, sameInstance(testException));
+
+        // verify SecureString is removed and closed
+        assertThat(threadContext.getTransient("secure.key"), nullValue());
+        expectThrows(IllegalStateException.class, containsString("SecureString has already been closed"), secureString::getChars);
+    }
+
     private interface FilteredRestHandler extends RestHandler, RestRequestFilter {}
 }
