From d2006c6f34b6bc1836398c6233b47579f0e9d7e6 Mon Sep 17 00:00:00 2001
From: Simon Cooper <simon.cooper@elastic.co>
Date: Fri, 30 Aug 2024 17:11:40 +0100
Subject: [PATCH 1/4] Make sure file accesses are done in stack frames with
 permissions

---
 .../xpack/security/authc/support/DnRoleMapper.java            | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java
index 0f8539e69bb32..3279bda791c52 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java
@@ -114,7 +114,9 @@ public static Map<String, List<String>> parseFile(Path path, Logger logger, Stri
         }
 
         try {
-            Settings settings = Settings.builder().loadFromPath(path).build();
+            // create this here so it's in an allowed stack frame
+            var file = Files.newInputStream(path);
+            Settings settings = Settings.builder().loadFromStream(path.getFileName().toString(), file, false).build();
 
             Map<DN, Set<String>> dnToRoles = new HashMap<>();
             Set<String> roles = settings.names();

From 6a4358e1bd635bf3eba319c9cbbbae5a2446de5d Mon Sep 17 00:00:00 2001
From: Simon Cooper <simon.cooper@elastic.co>
Date: Fri, 30 Aug 2024 17:14:17 +0100
Subject: [PATCH 2/4] Update docs/changelog/112400.yaml

---
 docs/changelog/112400.yaml | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 docs/changelog/112400.yaml

diff --git a/docs/changelog/112400.yaml b/docs/changelog/112400.yaml
new file mode 100644
index 0000000000000..6d622e5fb5248
--- /dev/null
+++ b/docs/changelog/112400.yaml
@@ -0,0 +1,5 @@
+pr: 112400
+summary: Make sure file accesses in `DnRoleMapper` are done in stack frames with permissions
+area: Infra/Core
+type: bug
+issues: []

From 7d8ff155015ef100fb96bee4a7479d27fd0a306a Mon Sep 17 00:00:00 2001
From: Simon Cooper <simon.cooper@elastic.co>
Date: Fri, 30 Aug 2024 17:14:58 +0100
Subject: [PATCH 3/4] Delete docs/changelog/112400.yaml

---
 docs/changelog/112400.yaml | 5 -----
 1 file changed, 5 deletions(-)
 delete mode 100644 docs/changelog/112400.yaml

diff --git a/docs/changelog/112400.yaml b/docs/changelog/112400.yaml
deleted file mode 100644
index 6d622e5fb5248..0000000000000
--- a/docs/changelog/112400.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-pr: 112400
-summary: Make sure file accesses in `DnRoleMapper` are done in stack frames with permissions
-area: Infra/Core
-type: bug
-issues: []

From 0670ffd270cd33d40429ac3894e54ab915661e57 Mon Sep 17 00:00:00 2001
From: Simon Cooper <simon.cooper@elastic.co>
Date: Mon, 2 Sep 2024 11:32:32 +0100
Subject: [PATCH 4/4] Update docs/changelog/112400.yaml

---
 docs/changelog/112400.yaml | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 docs/changelog/112400.yaml

diff --git a/docs/changelog/112400.yaml b/docs/changelog/112400.yaml
new file mode 100644
index 0000000000000..6d622e5fb5248
--- /dev/null
+++ b/docs/changelog/112400.yaml
@@ -0,0 +1,5 @@
+pr: 112400
+summary: Make sure file accesses in `DnRoleMapper` are done in stack frames with permissions
+area: Infra/Core
+type: bug
+issues: []