Make sure file accesses in DnRoleMapper are done in stack frames with permissions (#112400) (#112441)

thecoop · web-flow · commit f72ec852f463 · 2024-09-03T16:14:11.000+10:00
* Make sure file accesses are done in stack frames with permissions

* Update docs/changelog/112400.yaml

* Delete docs/changelog/112400.yaml

* Update docs/changelog/112400.yaml
diff --git a/docs/changelog/112400.yaml b/docs/changelog/112400.yaml
@@ -0,0 +1,5 @@
+pr: 112400
+summary: Make sure file accesses in `DnRoleMapper` are done in stack frames with permissions
+area: Infra/Core
+type: bug
+issues: []
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java
@@ -114,7 +114,9 @@ public static Map<String, List<String>> parseFile(Path path, Logger logger, Stri
         }
 
         try {
-            Settings settings = Settings.builder().loadFromPath(path).build();
+            // create this here so it's in an allowed stack frame
+            var file = Files.newInputStream(path);
+            Settings settings = Settings.builder().loadFromStream(path.getFileName().toString(), file, false).build();
 
             Map<DN, Set<String>> dnToRoles = new HashMap<>();
             Set<String> roles = settings.names();

Original file line number	Diff line number	Diff line change
`@@ -114,7 +114,9 @@ public static Map<String, List<String>> parseFile(Path path, Logger logger, Stri`
`114`	`114`	`}`
`115`	`115`
`116`	`116`	`try {`
`117`		`- Settings settings = Settings.builder().loadFromPath(path).build();`
	`117`	`+ // create this here so it's in an allowed stack frame`
	`118`	`+ var file = Files.newInputStream(path);`
	`119`	`+ Settings settings = Settings.builder().loadFromStream(path.getFileName().toString(), file, false).build();`
`118`	`120`
`119`	`121`	`Map<DN, Set<String>> dnToRoles = new HashMap<>();`
`120`	`122`	`Set<String> roles = settings.names();`