Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove ignoreUrl file setting property #123718

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Remove ignoreUrl file setting property #123718

wants to merge 2 commits into from
+13 −42

Conversation

rjernst
Copy link
Member

@rjernst rjernst commented Feb 28, 2025

Urls may make the FileAccessTree invalid. This commit removes the flag for filtering urls, instead always filtering them.

@rjernst
Remove ignoreUrl file setting property
0344b08 
Urls may make the FileAccessTree invalid. This commit removes the flag
for filtering urls, instead always filtering them.
@rjernst rjernst added >refactoring auto-backport Automatically create backport pull requests when merged v8.18.1 v8.19.0 v9.0.1 v9.1.0 :Core/Infra/Entitlements Entitlements infrastructure labels Feb 28, 2025
@rjernst rjernst requested a review from a team as a code owner February 28, 2025 15:10
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Feb 28, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

mosche
mosche reviewed Feb 28, 2025
View reviewed changes
...rc/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java
if (ignoreUrl) {
result = result.filter(s -> s.toLowerCase(Locale.ROOT).startsWith("https://") == false);
}
result = result.filter(s -> s.toLowerCase(Locale.ROOT).startsWith("https://") == false);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't rely on all setting rejecting http, right? Shouldn't we make sure to exclude such urls as well, so we keep the filtetree clean?

ldematte
ldematte reviewed Feb 28, 2025
View reviewed changes
Copy link
Contributor

@ldematte ldematte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, one Q about removing different kind of URLs

Optional: would it make sense to have one or more tests that exercise resolvePaths?
Either calling it directly, or indirectly via a FileAccessTree test?

...rc/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java
if (ignoreUrl) {
result = result.filter(s -> s.toLowerCase(Locale.ROOT).startsWith("https://") == false);
}
result = result.filter(s -> s.toLowerCase(Locale.ROOT).startsWith("https://") == false);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we ignore all URLs? http://, ftp:// (if we even allow that thing).
Even file:// if passed down to FileAccessTree as is would make a mess of the path sting.

@rjernst
Copy link
Member Author

rjernst commented Feb 28, 2025

I agree we should be filtering all urls, but identifying arbitrary urls becomes much more complex. Right now these settings only support https, and they fail otherwise. Can we leave that as a followup? This PR is removing the ignoreUrl property, not changing the behavior of how we ignore urls.

ldematte
ldematte approved these changes Feb 28, 2025
View reviewed changes
Copy link
Contributor

@ldematte ldematte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK to leave other URLs as a follow up

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mosche mosche mosche left review comments

@ldematte ldematte ldematte approved these changes

Assignees
No one assigned
Labels
auto-backport Automatically create backport pull requests when merged :Core/Infra/Entitlements Entitlements infrastructure >refactoring Team:Core/Infra Meta label for core/infra team v8.18.1 v8.19.0 v9.0.1 v9.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rjernst @elasticsearchmachine @mosche @ldematte