Address review comments

pawankartik-elastic · pawankartik-elastic · commit 888ed14951a4 · 2025-11-10T15:00:48.000Z
diff --git a/server/src/main/java/org/elasticsearch/rest/action/search/RestSearchAction.java b/server/src/main/java/org/elasticsearch/rest/action/search/RestSearchAction.java
@@ -200,11 +200,18 @@ public static void parseSearchRequest(
             searchRequest.source(new SearchSourceBuilder());
         }
         searchRequest.indices(Strings.splitStringByCommaToArray(request.param("index")));
+        /*
+         * We pass this object to the request body parser so that we can extract info such as project_routing.
+         * We only do it if in a Cross Project Environment, though, because outside it, such details are not
+         * expected and valid.
+         */
+        SearchRequest searchRequestForParsing = crossProjectEnabled ? searchRequest : null;
         if (requestContentParser != null) {
             if (searchUsageHolder == null) {
-                searchRequest.source().parseXContent(searchRequest, requestContentParser, true, clusterSupportsFeature);
+                searchRequest.source().parseXContent(searchRequestForParsing, requestContentParser, true, clusterSupportsFeature);
             } else {
-                searchRequest.source().parseXContent(searchRequest, requestContentParser, true, searchUsageHolder, clusterSupportsFeature);
+                searchRequest.source()
+                    .parseXContent(searchRequestForParsing, requestContentParser, true, searchUsageHolder, clusterSupportsFeature);
             }
         }
 
diff --git a/server/src/main/java/org/elasticsearch/search/builder/SearchSourceBuilder.java b/server/src/main/java/org/elasticsearch/search/builder/SearchSourceBuilder.java
@@ -1331,7 +1331,9 @@ private SearchSourceBuilder shallowCopy(
      * Parse some xContent into this SearchSourceBuilder, overwriting any values specified in the xContent.
      *
      * @param searchRequest The SearchRequest object that's representing the request we're parsing which shall receive
-     *                      the parsed info.
+     *                      the parsed info. Currently, this is non-null only if we expect project_routing to appear in
+     *                      the request body, and we allow it to appear because we're in a Cross Project Search
+     *                      environment and require this info.
      * @param parser The xContent parser.
      * @param checkTrailingTokens If true throws a parsing exception when extra tokens are found after the main object.
      * @param searchUsageHolder holder for the search usage statistics
@@ -1370,7 +1372,9 @@ public SearchSourceBuilder parseXContent(
      * usage stats into it is the one to use.
      *
      * @param searchRequest The SearchRequest object that's representing the request we're parsing which shall receive
-     *                      the parsed info.
+     *                      the parsed info. Currently, this is non-null only if we expect project_routing to appear in
+     *                      the request body, and we allow it to appear because we're in a Cross Project Search
+     *                      environment and require this info.
      * @param parser The xContent parser.
      * @param checkTrailingTokens If true throws a parsing exception when extra tokens are found after the main object.
      * @param clusterSupportsFeature used to check if certain features are available on this cluster
diff --git a/x-pack/plugin/async-search/src/internalClusterTest/java/org/elasticsearch/xpack/search/ProjectRoutingDisallowedIT.java b/x-pack/plugin/async-search/src/internalClusterTest/java/org/elasticsearch/xpack/search/ProjectRoutingDisallowedIT.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.xpack.search;
+
+import org.elasticsearch.client.Request;
+import org.elasticsearch.client.ResponseException;
+import org.elasticsearch.common.util.CollectionUtils;
+import org.elasticsearch.plugins.Plugin;
+import org.elasticsearch.test.ESIntegTestCase;
+import org.hamcrest.Matchers;
+
+import java.io.IOException;
+import java.util.Collection;
+
+public class ProjectRoutingDisallowedIT extends ESIntegTestCase {
+    @Override
+    protected boolean addMockHttpTransport() {
+        return false;
+    }
+
+    @Override
+    protected Collection<Class<? extends Plugin>> nodePlugins() {
+        return CollectionUtils.appendToCopyNoNullElements(super.nodePlugins(), AsyncSearch.class);
+    }
+
+    public void testDisallowProjectRouting() throws IOException {
+        Request createAsyncRequest = new Request("POST", "/*,*:*/" + randomFrom("_async_search", "_search"));
+        createAsyncRequest.setJsonEntity("""
+            {
+              "project_routing": "_alias:_origin"
+            }
+            """);
+
+        ResponseException err = expectThrows(ResponseException.class, () -> getRestClient().performRequest(createAsyncRequest));
+        assertThat(err.toString(), Matchers.containsString("Unknown key for a VALUE_STRING in [project_routing]"));
+    }
+}
