Merge branch 'main' into 2025/02/07/post-recovery-merge-bump-version

Author: DaveCTurner

.buildkite/pipelines/intake.yml

@@ -76,7 +76,7 @@ steps:
             ES_VERSION:
               - "9.0.0"
             ES_COMMIT:
-              - "b2cc9d9b8f00ee621f93ddca07ea9c671aab1578" # update to match last commit before lucene bump
+              - "10352e57d85505984582616e1e38530d3ec6ca59" # update to match last commit before lucene bump / head of combat-lucene-10-0-0
         agents:
           provider: gcp
           image: family/elasticsearch-ubuntu-2004

build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/DockerBase.java

@@ -22,7 +22,7 @@ public enum DockerBase {
     // Chainguard based wolfi image with latest jdk
     // This is usually updated via renovatebot
     // spotless:off
-    WOLFI("docker.elastic.co/wolfi/chainguard-base:latest@sha256:ecd940be9f342ee6173397c48f3df5bb410e95000f8726fd01759b6c39b0beda",
+    WOLFI("docker.elastic.co/wolfi/chainguard-base:latest@sha256:d74b1fda6b7fee2c90b410df258e005c049e0672fe16d79d00e58f14fb69f90b",
         "-wolfi",
         "apk"
     ),

docs/changelog/122538.yaml

@@ -0,0 +1,5 @@
+pr: 122538
+summary: Fix `ArrayIndexOutOfBoundsException` in `ShardBulkInferenceActionFilter`
+area: Ingest
+type: bug
+issues: []

docs/changelog/122737.yaml

@@ -0,0 +1,5 @@
+pr: 122737
+summary: Bump json-smart and oauth2-oidc-sdk
+area: Authentication
+type: upgrade
+issues: []

gradle/verification-metadata.xml

@@ -984,36 +984,19 @@
             <sha256 value="e8c1c594e2425bdbea2d860de55c69b69fc5d59454452449a0f0913c2a5b8a31" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.nimbusds" name="nimbus-jose-jwt" version="10.0.1">
+         <artifact name="nimbus-jose-jwt-10.0.1.jar">
+            <sha256 value="f28dbd9ab128324f05050d76b78469d3a9cd83e0319aabc68d1c276e3923e13a" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.nimbusds" name="nimbus-jose-jwt" version="4.41.1">
          <artifact name="nimbus-jose-jwt-4.41.1.jar">
             <sha256 value="fbfd0d5f2b2f86758b821daa5e79b5d7c965edd9dc1b2cc80b515df1c6ddc22d" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.nimbusds" name="nimbus-jose-jwt" version="9.37.3">
-         <artifact name="nimbus-jose-jwt-9.37.3.jar">
-            <sha256 value="12ae4a3a260095d7aeba2adea7ae396e8b9570db8b7b409e09a824c219cc0444" origin="Generated by Gradle">
-               <also-trust value="afc63b689d881439b95f343b1dca750391edac63b87392be4d90d19c94ccafbe"/>
-            </sha256>
-         </artifact>
-      </component>
-      <component group="com.nimbusds" name="nimbus-jose-jwt" version="9.8.1">
-         <artifact name="nimbus-jose-jwt-9.8.1.jar">
-            <sha256 value="7664cf8c6f2adadf600287812b32878277beda54912eab9d4c2932cd50cb704a" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="com.nimbusds" name="oauth2-oidc-sdk" version="11.10.1">
-         <artifact name="oauth2-oidc-sdk-11.10.1.jar">
-            <sha256 value="9e51b2c17503cdd3eb97f41491c712aff7783bb3c67185d789f44ccf2a603b26" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="com.nimbusds" name="oauth2-oidc-sdk" version="11.9.1">
-         <artifact name="oauth2-oidc-sdk-11.9.1.jar">
-            <sha256 value="0820c9690966304d075347b88e81ae490213440fc4d2c84f3d370d41941b2b9c" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="com.nimbusds" name="oauth2-oidc-sdk" version="9.37">
-         <artifact name="oauth2-oidc-sdk-9.37.jar">
-            <sha256 value="44a04bbed5ae3f6d198aa73ee6b545c476e528ec1a267ef3e9f7033f886dd6fe" origin="Generated by Gradle"/>
+      <component group="com.nimbusds" name="oauth2-oidc-sdk" version="11.22.2">
+         <artifact name="oauth2-oidc-sdk-11.22.2.jar">
+            <sha256 value="64fab42f17bf8e0efb193dd34da716ef7abb7515234036119df1776b808dc066" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.perforce" name="p4java" version="2015.2.1365273">
@@ -1779,34 +1762,24 @@
             <sha256 value="0972bbc99437c4163acd09b630e6c77eab4cfab8a9594621c95466c0c6645396" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="net.minidev" name="accessors-smart" version="2.5.0">
-         <artifact name="accessors-smart-2.5.0.jar">
-            <sha256 value="12314fc6881d66a413fd66370787adba16e504fbf7e138690b0f3952e3fbd321" origin="Generated by Gradle"/>
+      <component group="net.minidev" name="accessors-smart" version="2.5.2">
+         <artifact name="accessors-smart-2.5.2.jar">
+            <sha256 value="9b8a7bc43861d6156c021166d941fb7dddbe4463e2fa5ee88077e4b01452a836" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="net.minidev" name="json-smart" version="2.3">
          <artifact name="json-smart-2.3.jar">
             <sha256 value="903f48c8aa4c3f6426440b8d32de89fa1dc23b1169abde25e4e1d068aa67708b" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="net.minidev" name="json-smart" version="2.4.10">
-         <artifact name="json-smart-2.4.10.jar">
-            <sha256 value="70cab5e9488630dc631b1fc6e7fa550d95cddd19ba14db39ceca7cabfbd4e5ae" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="net.minidev" name="json-smart" version="2.4.2">
          <artifact name="json-smart-2.4.2.jar">
             <sha256 value="64072f56d9dff5040b2acec477c5d5e6bcebfc88c508f12acb26072d07942146" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="net.minidev" name="json-smart" version="2.5.0">
-         <artifact name="json-smart-2.5.0.jar">
-            <sha256 value="432b9e545848c4141b80717b26e367f83bf33f19250a228ce75da6e967da2bc7" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="net.minidev" name="json-smart" version="2.5.1">
-         <artifact name="json-smart-2.5.1.jar">
-            <sha256 value="86c0c189581b79b57b0719f443a724e9f628ffbb9eef645cf79194f5973a1001" origin="Generated by Gradle"/>
+      <component group="net.minidev" name="json-smart" version="2.5.2">
+         <artifact name="json-smart-2.5.2.jar">
+            <sha256 value="4fbdedb0105cedc7f766b95c297d2e88fb6a560da48f3bbaa0cc538ea8b7bf71" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="net.nextencia" name="rrdiagram" version="0.9.4">
@@ -4408,31 +4381,6 @@
             <sha256 value="ca5b8d11569e53921b0e3486469e7c674361c79845dad3d514f38ab6e0c8c10a" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.ow2.asm" name="asm" version="9.2">
-         <artifact name="asm-9.2.jar">
-            <sha256 value="b9d4fe4d71938df38839f0eca42aaaa64cf8b313d678da036f0cb3ca199b47f5" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="org.ow2.asm" name="asm" version="9.3">
-         <artifact name="asm-9.3.jar">
-            <sha256 value="1263369b59e29c943918de11d6d6152e2ec6085ce63e5710516f8c67d368e4bc" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="org.ow2.asm" name="asm" version="9.4">
-         <artifact name="asm-9.4.jar">
-            <sha256 value="39d0e2b3dc45af65a09b097945750a94a126e052e124f93468443a1d0e15f381" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="org.ow2.asm" name="asm" version="9.5">
-         <artifact name="asm-9.5.jar">
-            <sha256 value="b62e84b5980729751b0458c534cf1366f727542bb8d158621335682a460f0353" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="org.ow2.asm" name="asm" version="9.6">
-         <artifact name="asm-9.6.jar">
-            <sha256 value="3c6fac2424db3d4a853b669f4e3d1d9c3c552235e19a319673f887083c2303a1" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="org.ow2.asm" name="asm" version="9.7.1">
          <artifact name="asm-9.7.1.jar">
             <sha256 value="8cadd43ac5eb6d09de05faecca38b917a040bb9139c7edeb4cc81c740b713281" origin="Generated by Gradle"/>

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -10,6 +10,7 @@
 package org.elasticsearch.entitlement.bridge;
 
 import java.io.File;
+import java.io.FileDescriptor;
 import java.io.FileFilter;
 import java.io.FilenameFilter;
 import java.io.InputStream;
@@ -572,14 +573,54 @@ public interface EntitlementChecker {
 
     void check$java_io_File$setWritable(Class<?> callerClass, File file, boolean writable, boolean ownerOnly);
 
+    void check$java_io_FileInputStream$(Class<?> callerClass, File file);
+
+    void check$java_io_FileInputStream$(Class<?> callerClass, FileDescriptor fd);
+
+    void check$java_io_FileInputStream$(Class<?> callerClass, String name);
+
     void check$java_io_FileOutputStream$(Class<?> callerClass, File file);
 
     void check$java_io_FileOutputStream$(Class<?> callerClass, File file, boolean append);
 
+    void check$java_io_FileOutputStream$(Class<?> callerClass, FileDescriptor fd);
+
     void check$java_io_FileOutputStream$(Class<?> callerClass, String name);
 
     void check$java_io_FileOutputStream$(Class<?> callerClass, String name, boolean append);
 
+    void check$java_io_FileReader$(Class<?> callerClass, File file);
+
+    void check$java_io_FileReader$(Class<?> callerClass, File file, Charset charset);
+
+    void check$java_io_FileReader$(Class<?> callerClass, FileDescriptor fd);
+
+    void check$java_io_FileReader$(Class<?> callerClass, String name);
+
+    void check$java_io_FileReader$(Class<?> callerClass, String name, Charset charset);
+
+    void check$java_io_FileWriter$(Class<?> callerClass, File file);
+
+    void check$java_io_FileWriter$(Class<?> callerClass, File file, boolean append);
+
+    void check$java_io_FileWriter$(Class<?> callerClass, File file, Charset charset);
+
+    void check$java_io_FileWriter$(Class<?> callerClass, File file, Charset charset, boolean append);
+
+    void check$java_io_FileWriter$(Class<?> callerClass, FileDescriptor fd);
+
+    void check$java_io_FileWriter$(Class<?> callerClass, String name);
+
+    void check$java_io_FileWriter$(Class<?> callerClass, String name, boolean append);
+
+    void check$java_io_FileWriter$(Class<?> callerClass, String name, Charset charset);
+
+    void check$java_io_FileWriter$(Class<?> callerClass, String name, Charset charset, boolean append);
+
+    void check$java_io_RandomAccessFile$(Class<?> callerClass, String name, String mode);
+
+    void check$java_io_RandomAccessFile$(Class<?> callerClass, File file, String mode);
+
     void check$java_util_Scanner$(Class<?> callerClass, File source);
 
     void check$java_util_Scanner$(Class<?> callerClass, File source, String charsetName);

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java

@@ -13,16 +13,22 @@
 import org.elasticsearch.entitlement.qa.entitled.EntitledActions;
 
 import java.io.File;
+import java.io.FileDescriptor;
+import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
+import java.io.FileReader;
+import java.io.FileWriter;
 import java.io.IOException;
+import java.io.RandomAccessFile;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.nio.file.attribute.UserPrincipal;
 import java.util.Scanner;
 
+import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.ALWAYS_DENIED;
 import static org.elasticsearch.entitlement.qa.test.EntitlementTest.ExpectedAccess.PLUGINS;
 
 @SuppressForbidden(reason = "Explicitly checking APIs that are forbidden")
@@ -216,6 +222,21 @@ static void createScannerFileWithCharsetName() throws FileNotFoundException {
         new Scanner(readFile().toFile(), "UTF-8");
     }
 
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createFileInputStreamFile() throws IOException {
+        new FileInputStream(readFile().toFile()).close();
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void createFileInputStreamFileDescriptor() throws IOException {
+        new FileInputStream(FileDescriptor.in).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createFileInputStreamString() throws IOException {
+        new FileInputStream(readFile().toString()).close();
+    }
+
     @EntitlementTest(expectedAccess = PLUGINS)
     static void createFileOutputStreamString() throws IOException {
         new FileOutputStream(readWriteFile().toString()).close();
@@ -236,6 +257,96 @@ static void createFileOutputStreamFileWithAppend() throws IOException {
         new FileOutputStream(readWriteFile().toFile(), false).close();
     }
 
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void createFileOutputStreamFileDescriptor() throws IOException {
+        new FileOutputStream(FileDescriptor.out).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createFileReaderFile() throws IOException {
+        new FileReader(readFile().toFile()).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createFileReaderFileCharset() throws IOException {
+        new FileReader(readFile().toFile(), StandardCharsets.UTF_8).close();
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void createFileReaderFileDescriptor() throws IOException {
+        new FileReader(FileDescriptor.in).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createFileReaderString() throws IOException {
+        new FileReader(readFile().toString()).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createFileReaderStringCharset() throws IOException {
+        new FileReader(readFile().toString(), StandardCharsets.UTF_8).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createFileWriterFile() throws IOException {
+        new FileWriter(readWriteFile().toFile()).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createFileWriterFileWithAppend() throws IOException {
+        new FileWriter(readWriteFile().toFile(), false).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createFileWriterFileCharsetWithAppend() throws IOException {
+        new FileWriter(readWriteFile().toFile(), StandardCharsets.UTF_8, false).close();
+    }
+
+    @EntitlementTest(expectedAccess = ALWAYS_DENIED)
+    static void createFileWriterFileDescriptor() throws IOException {
+        new FileWriter(FileDescriptor.out).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createFileWriterString() throws IOException {
+        new FileWriter(readWriteFile().toString()).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createFileWriterStringWithAppend() throws IOException {
+        new FileWriter(readWriteFile().toString(), false).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createFileWriterStringCharset() throws IOException {
+        new FileWriter(readWriteFile().toString(), StandardCharsets.UTF_8).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createFileWriterStringCharsetWithAppend() throws IOException {
+        new FileWriter(readWriteFile().toString(), StandardCharsets.UTF_8, false).close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createRandomAccessFileStringRead() throws IOException {
+        new RandomAccessFile(readFile().toString(), "r").close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createRandomAccessFileStringReadWrite() throws IOException {
+        new RandomAccessFile(readWriteFile().toString(), "rw").close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createRandomAccessFileRead() throws IOException {
+        new RandomAccessFile(readFile().toFile(), "r").close();
+    }
+
+    @EntitlementTest(expectedAccess = PLUGINS)
+    static void createRandomAccessFileReadWrite() throws IOException {
+        new RandomAccessFile(readWriteFile().toFile(), "rw").close();
+    }
+
     @EntitlementTest(expectedAccess = PLUGINS)
     static void filesGetOwner() throws IOException {
         Files.getOwner(readFile());