From 39a394df46ef21faa2de7e3c78c9f4965d33129a Mon Sep 17 00:00:00 2001
From: Simon Cooper <simon.cooper@elastic.co>
Date: Tue, 3 Sep 2024 06:12:41 +0100
Subject: [PATCH] Make sure file accesses in DnRoleMapper are done in stack
 frames with permissions (#112400)

* Make sure file accesses are done in stack frames with permissions

* Update docs/changelog/112400.yaml

* Delete docs/changelog/112400.yaml

* Update docs/changelog/112400.yaml
---
 docs/changelog/112400.yaml                                   | 5 +++++
 .../xpack/security/authc/support/DnRoleMapper.java           | 4 +++-
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 docs/changelog/112400.yaml

diff --git a/docs/changelog/112400.yaml b/docs/changelog/112400.yaml
new file mode 100644
index 0000000000000..6d622e5fb5248
--- /dev/null
+++ b/docs/changelog/112400.yaml
@@ -0,0 +1,5 @@
+pr: 112400
+summary: Make sure file accesses in `DnRoleMapper` are done in stack frames with permissions
+area: Infra/Core
+type: bug
+issues: []
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java
index 0f8539e69bb32..3279bda791c52 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapper.java
@@ -114,7 +114,9 @@ public static Map<String, List<String>> parseFile(Path path, Logger logger, Stri
         }
 
         try {
-            Settings settings = Settings.builder().loadFromPath(path).build();
+            // create this here so it's in an allowed stack frame
+            var file = Files.newInputStream(path);
+            Settings settings = Settings.builder().loadFromStream(path.getFileName().toString(), file, false).build();
 
             Map<DN, Set<String>> dnToRoles = new HashMap<>();
             Set<String> roles = settings.names();