From 59a5728feb988263de4b298489b7e23dc74ccda4 Mon Sep 17 00:00:00 2001 From: Pete Gillin Date: Fri, 26 Sep 2025 15:52:36 +0100 Subject: [PATCH] All `reindex.remote.whitelist` to be set to `*` Prior to this change, ES would refuse to start if the `reindex.remote.whitelist` node setting was `*` (or anything else which matches every string). This removes that restriction. The logic did not provide any real security, since it would accept a setting value of `*:*`, which would effectively match everything since the string checked against it was always of the form `:`. It has been agreed that users should be allowed to whitelist everything if they choose, so there is no value to just making it more awkward for them to figure out how to do so. --- .../reindex/ReindexValidator.java | 9 ------- .../ReindexFromRemoteWhitelistTests.java | 24 ------------------- 2 files changed, 33 deletions(-) diff --git a/modules/reindex/src/main/java/org/elasticsearch/reindex/ReindexValidator.java b/modules/reindex/src/main/java/org/elasticsearch/reindex/ReindexValidator.java index 19bd8a0f8270f..32887235f69c6 100644 --- a/modules/reindex/src/main/java/org/elasticsearch/reindex/ReindexValidator.java +++ b/modules/reindex/src/main/java/org/elasticsearch/reindex/ReindexValidator.java @@ -101,15 +101,6 @@ static CharacterRunAutomaton buildRemoteWhitelist(List whitelist) { } Automaton automaton = Regex.simpleMatchToAutomaton(whitelist.toArray(Strings.EMPTY_ARRAY)); automaton = Operations.determinize(automaton, Operations.DEFAULT_DETERMINIZE_WORK_LIMIT); - if (Operations.isTotal(automaton)) { - throw new IllegalArgumentException( - "Refusing to start because whitelist " - + whitelist - + " accepts all addresses. " - + "This would allow users to reindex-from-remote any URL they like effectively having Elasticsearch make HTTP GETs " - + "for them." - ); - } return new CharacterRunAutomaton(automaton); } diff --git a/modules/reindex/src/test/java/org/elasticsearch/reindex/ReindexFromRemoteWhitelistTests.java b/modules/reindex/src/test/java/org/elasticsearch/reindex/ReindexFromRemoteWhitelistTests.java index 3219c45926f38..4264e7b273436 100644 --- a/modules/reindex/src/test/java/org/elasticsearch/reindex/ReindexFromRemoteWhitelistTests.java +++ b/modules/reindex/src/test/java/org/elasticsearch/reindex/ReindexFromRemoteWhitelistTests.java @@ -16,7 +16,6 @@ import java.net.UnknownHostException; import java.util.ArrayList; -import java.util.Arrays; import java.util.List; import static java.util.Collections.emptyList; @@ -112,35 +111,12 @@ public void testUnwhitelistedRemote() { assertEquals("[not in list:" + port + "] not whitelisted in reindex.remote.whitelist", e.getMessage()); } - public void testRejectMatchAll() { - assertMatchesTooMuch(singletonList("*")); - assertMatchesTooMuch(singletonList("**")); - assertMatchesTooMuch(singletonList("***")); - assertMatchesTooMuch(Arrays.asList("realstuff", "*")); - assertMatchesTooMuch(Arrays.asList("*", "realstuff")); - List random = randomWhitelist(); - random.add("*"); - assertMatchesTooMuch(random); - } - public void testIPv6Address() { List whitelist = randomWhitelist(); whitelist.add("[::1]:*"); checkRemoteWhitelist(buildRemoteWhitelist(whitelist), newRemoteInfo("[::1]", 9200)); } - private void assertMatchesTooMuch(List whitelist) { - Exception e = expectThrows(IllegalArgumentException.class, () -> buildRemoteWhitelist(whitelist)); - assertEquals( - "Refusing to start because whitelist " - + whitelist - + " accepts all addresses. " - + "This would allow users to reindex-from-remote any URL they like effectively having Elasticsearch make HTTP GETs " - + "for them.", - e.getMessage() - ); - } - private List randomWhitelist() { int size = between(1, 100); List whitelist = new ArrayList<>(size);