Skip to content

[Entitlements] Add a check for filesystem mismatch #123744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Feb 28, 2025
Merged

[Entitlements] Add a check for filesystem mismatch #123744

merged 7 commits into from
Feb 28, 2025

Conversation

@ldematte
Copy link
Contributor

@ldematte ldematte commented Feb 28, 2025
edited
Loading

NIO Files function accept an arbitrary Path object; this objects may be of different classes/come from FileSystems different from the default one, which is the one that provide access to the file systems accessible to the Java virtual machine, and which we are trying to protect.

For example: you can pass a ZipPath (created by a ZipFileSystem) to Files.exists(Path), to check for contents of a Zip file. This works, but check for entitlements on that ZipPath is not correct.

While checking for Files entitlements, we should skip checks on Paths coming from different FileSystems, as they do not intersect with the Paths we are protecting. This PR adds a condition to do that.

@ldematte ldematte added >non-issue auto-backport Automatically create backport pull requests when merged v8.18.1 v8.19.0 v9.0.1 v9.1.0 :Core/Infra/Entitlements Entitlements infrastructure labels Feb 28, 2025
@ldematte ldematte requested a review from a team as a code owner February 28, 2025 18:14
@ldematte ldematte requested a review from rjernst February 28, 2025 18:14
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Feb 28, 2025
This was referenced Feb 28, 2025
Merged
Merged
rjernst
rjernst approved these changes Feb 28, 2025
View reviewed changes
Copy link
Member

@rjernst rjernst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java Outdated
}

private boolean checkPath(String path, String[] paths) {
logger.debug(() -> Strings.format("checking [%s] against [%s]", path, String.join(",", paths)));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems more trace level? It could be extremely verbose?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I always mix them up! I will fix all 3 of them

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java Outdated
}

private static boolean isParent(String maybeParent, String path) {
logger.debug(() -> Strings.format("checking isParent [%s] for [%s]", maybeParent, path));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, this could log a lot.

@ldematte ldematte enabled auto-merge (squash) February 28, 2025 21:11
@ldematte ldematte added the test-windows Trigger CI checks on Windows label Feb 28, 2025
@ldematte ldematte removed the test-windows Trigger CI checks on Windows label Feb 28, 2025
@ldematte
Copy link
Contributor Author

Removing test-windows as it still fails until we merge #123689 (and we need this to merge it)

@ldematte ldematte merged commit b346427 into elastic:main Feb 28, 2025
16 of 17 checks passed
This was referenced Feb 28, 2025
Merged
Merged
Merged
ldematte added a commit to ldematte/elasticsearch that referenced this pull request Feb 28, 2025
@ldematte
[Entitlements] Add a check for filesystem mismatch (elastic#123744)
0780ead
@elasticsearchmachine
Copy link
Collaborator

💚 Backport successful

Status Branch Result
8.18
8.x
9.0

ldematte added a commit to ldematte/elasticsearch that referenced this pull request Feb 28, 2025
@ldematte
[Entitlements] Add a check for filesystem mismatch (elastic#123744)
a81897c
ldematte added a commit to ldematte/elasticsearch that referenced this pull request Feb 28, 2025
@ldematte
[Entitlements] Add a check for filesystem mismatch (elastic#123744)
a569781
elasticsearchmachine pushed a commit that referenced this pull request Mar 1, 2025
@ldematte
[Entitlements] Add a check for filesystem mismatch (#123744) (#123777)
530f2b4
elasticsearchmachine pushed a commit that referenced this pull request Mar 1, 2025
@ldematte
[Entitlements] Add a check for filesystem mismatch (#123744) (#123778)
2c3e84d
elasticsearchmachine pushed a commit that referenced this pull request Mar 1, 2025
@ldematte
[Entitlements] Add a check for filesystem mismatch (#123744) (#123779)
79b0c35
This was referenced Mar 5, 2025
Closed
Merged
@mosche mosche mentioned this pull request Mar 10, 2025
Merged
elasticsearchmachine pushed a commit that referenced this pull request Mar 10, 2025
@mosche
Unmute MetricsApmIT (closes #124291) (#124471)
91f33cb 
Unmute MetricsApmIT (closes #124291). This was already fixed by
#123744.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rjernst rjernst rjernst approved these changes

Assignees

No one assigned

Labels

auto-backport Automatically create backport pull requests when merged :Core/Infra/Entitlements Entitlements infrastructure >non-issue Team:Core/Infra Meta label for core/infra team v8.18.1 v8.19.0 v9.0.1 v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ldematte @elasticsearchmachine @rjernst