Skip to content

Commit

Permalink
Add a system property to configure YamlParser codepoint limits (opens…
Browse files Browse the repository at this point in the history
…earch-project#12301)

Signed-off-by: Andriy Redko <[email protected]>
Signed-off-by: Shivansh Arora <[email protected]>
  • Loading branch information
reta authored and shiv0408 committed Apr 25, 2024
1 parent aa532d7 commit 01fed82
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 3 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

### Fixed
- Fix for deserilization bug in weighted round-robin metadata ([#11679](https://github.com/opensearch-project/OpenSearch/pull/11679))
- Add a system property to configure YamlParser codepoint limits ([#12298](https://github.com/opensearch-project/OpenSearch/pull/12298))

### Security

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
*/
@InternalApi
public interface XContentContraints {
final String DEFAULT_CODEPOINT_LIMIT_PROPERTY = "opensearch.xcontent.codepoint.max";
final String DEFAULT_MAX_STRING_LEN_PROPERTY = "opensearch.xcontent.string.length.max";
final String DEFAULT_MAX_NAME_LEN_PROPERTY = "opensearch.xcontent.name.length.max";
final String DEFAULT_MAX_DEPTH_PROPERTY = "opensearch.xcontent.depth.max";
Expand All @@ -32,4 +33,6 @@ public interface XContentContraints {
final int DEFAULT_MAX_DEPTH = Integer.parseInt(
System.getProperty(DEFAULT_MAX_DEPTH_PROPERTY, "1000" /* StreamReadConstraints.DEFAULT_MAX_DEPTH */)
);

final int DEFAULT_CODEPOINT_LIMIT = Integer.parseInt(System.getProperty(DEFAULT_CODEPOINT_LIMIT_PROPERTY, "52428800" /* ~50 Mb */));
}
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
import com.fasterxml.jackson.core.StreamReadFeature;
import com.fasterxml.jackson.core.StreamWriteConstraints;
import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
import com.fasterxml.jackson.dataformat.yaml.YAMLFactoryBuilder;

import org.opensearch.common.xcontent.XContentContraints;
import org.opensearch.common.xcontent.XContentType;
Expand All @@ -55,6 +56,8 @@
import java.io.Reader;
import java.util.Set;

import org.yaml.snakeyaml.LoaderOptions;

/**
* A YAML based content implementation using Jackson.
*/
Expand All @@ -67,7 +70,9 @@ public static XContentBuilder contentBuilder() throws IOException {
public static final YamlXContent yamlXContent;

static {
yamlFactory = new YAMLFactory();
final LoaderOptions loaderOptions = new LoaderOptions();
loaderOptions.setCodePointLimit(DEFAULT_CODEPOINT_LIMIT);
yamlFactory = new YAMLFactoryBuilder(new YAMLFactory()).loaderOptions(loaderOptions).build();
yamlFactory.configure(JsonParser.Feature.STRICT_DUPLICATE_DETECTION, true);
yamlFactory.setStreamWriteConstraints(StreamWriteConstraints.builder().maxNestingDepth(DEFAULT_MAX_DEPTH).build());
yamlFactory.setStreamReadConstraints(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ public class XContentParserTests extends OpenSearchTestCase {
() -> randomAlphaOfLengthBetween(1, SmileXContent.DEFAULT_MAX_STRING_LEN),
/* YAML parser limitation */
XContentType.YAML,
() -> randomAlphaOfLengthBetween(1, 3140000)
() -> randomRealisticUnicodeOfCodepointLengthBetween(1, YamlXContent.DEFAULT_CODEPOINT_LIMIT)
);

private static final Map<XContentType, Supplier<String>> OFF_LIMIT_GENERATORS = Map.of(
Expand All @@ -97,7 +97,7 @@ public class XContentParserTests extends OpenSearchTestCase {
() -> randomAlphaOfLength(SmileXContent.DEFAULT_MAX_STRING_LEN + 1),
/* YAML parser limitation */
XContentType.YAML,
() -> randomRealisticUnicodeOfCodepointLength(3145730)
() -> randomRealisticUnicodeOfCodepointLength(YamlXContent.DEFAULT_CODEPOINT_LIMIT + 1)
);

private static final Map<XContentType, Supplier<String>> FIELD_NAME_GENERATORS = Map.of(
Expand Down

0 comments on commit 01fed82

Please sign in to comment.