I figured out what the actual default receiver_whitelist is through the
GroovySandboxExpressionChecked code, and if I want to add java.lang.String
to the whitelist, I'd just have to add its classname to the other
classnames in the script.groovy.sandbox.receiver_whitelist setting in
elasticsearch.yml
If I'm not wrong, it should be :
script.groovy.sandbox.receiver_whitelist:
"java.lang.Math,java.lang.Integer,java.lang.Float,java.lang.Double,java.lang.Long,java.lang.Short,java.lang.Character,java.lang.Byte,java.lang.Boolean,java.math.BigDecimal,java.util.Arrays,java.util.Date,java.util.List,java.util.Map,java.util.Set,java.lang.Object,org.elasticsearch.common.joda.time.DateTime,org.elasticsearch.common.joda.time.DateTimeUtils,org.elasticsearch.common.joda.time.DateTimeZone,org.elasticsearch.common.joda.time.Instant,java.lang.String"
am I right ?
Le mercredi 10 décembre 2014 11:32:45 UTC+1, Dunaeth a écrit :
Thanks, I'll just need to find what is the actual whitelist and how to
have a custom one then. If someone has any clue ?
Le mercredi 10 décembre 2014 11:27:52 UTC+1, Jörg Prante a écrit :
No. I think ES developers configured the sandbox to deny java.lang.*
calls and java.lang.String is not in the whitelist.
https://github.com/elasticsearch/elasticsearch/blob/b43b56a6a85f7dd131086fd83dc9267aecbbf0a3/src/main/java/org/elasticsearch/script/groovy/GroovySandboxExpressionChecker.java#L90-L111
https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Felasticsearch%2Felasticsearch%2Fblob%2Fb43b56a6a85f7dd131086fd83dc9267aecbbf0a3%2Fsrc%2Fmain%2Fjava%2Forg%2Felasticsearch%2Fscript%2Fgroovy%2FGroovySandboxExpressionChecker.java%23L90-L111&sa=D&sntz=1&usg=AFQjCNHRcEKxmTeoBh0RSXOdklvMO2vAbg
You can add java.lang.String to the whitelist by defining your own
whitelist including java.lang.String
Elasticsearch Platform — Find real-time answers at scale | Elastic
or open an issue with the request to add java.lang.String to the groovy
whitelist by default.
Jörg
On Wed, Dec 10, 2014 at 11:13 AM, Dunaeth lomig...@gmail.com wrote:
May this exception be caused by a bad dynamic_scripting parameter ?
Le mercredi 10 décembre 2014 11:10:14 UTC+1, Dunaeth a écrit :
Here it is :
[log-2014-02][0]: SearchParseException[[log-2014-02][0]:
from[-1],size[0]: Parse Failure [Failed to parse source
[{"size":0,"aggs":{"prefilter":{"filter":{"and":[{"bool":{"
must":[{"term":{"valid":true}},{"term":{"shop_id":"1838"}}]}
},{"range":{"date":{"gte":"2014-11-08T23:00:00.000+00:00"
,"lt":"2014-12-09T23:00:00.000+00:00"}}}]},"aggs":{"per_
day":{"terms":{"script":"doc.date.date.setZone(org.
elasticsearch.common.joda.time.DateTimeZone.forID('
Europe/Paris'));doc.date.date.year+'-'+String.format('%02d',
doc.date.date.monthOfYear)+'-'+String.format('%02d',doc.
date.date.dayOfMonth)","size":31,"order":{"_term":"asc"}},"
aggs":{"stats":{"terms":{"field":"type"},"aggs":{"
unique":{"filter":{"term":{"unique":true}}}}}}}}}}}]]]; nested:
GroovyScriptCompilationException[MultipleCompilationErrorsException[startup
failed: General error during canonicalization: Method calls not allowed on
[java.lang.String] java.lang.SecurityException: Method calls not allowed on
[java.lang.String] at org.codehaus.groovy.control.customizers.
SecureASTCustomizer$SecuringCodeVisitor.visitMethodCallExpression(SecureASTCustomizer.java:855)
at org.codehaus.groovy.ast.expr.MethodCallExpression.visit(MethodCallExpression.java:64)
at org.codehaus.groovy.control.customizers.SecureASTCustomizer$
SecuringCodeVisitor.visitBinaryExpression(SecureASTCustomizer.java:897)
at org.codehaus.groovy.ast.expr.BinaryExpression.visit(BinaryExpression.java:49)
at org.codehaus.groovy.control.customizers.SecureASTCustomizer$
SecuringCodeVisitor.visitBinaryExpression(SecureASTCustomizer.java:896)
at org.codehaus.groovy.ast.expr.BinaryExpression.visit(BinaryExpression.java:49)
at org.codehaus.groovy.control.customizers.SecureASTCustomizer$
SecuringCodeVisitor.visitBinaryExpression(SecureASTCustomizer.java:896)
at org.codehaus.groovy.ast.expr.BinaryExpression.visit(BinaryExpression.java:49)
at org.codehaus.groovy.control.customizers.SecureASTCustomizer$
SecuringCodeVisitor.visitExpressionStatement(SecureASTCustomizer.java:777)
at org.codehaus.groovy.ast.stmt.ExpressionStatement.visit(ExpressionStatement.java:40)
at org.codehaus.groovy.control.customizers.SecureASTCustomizer$
SecuringCodeVisitor.visitBlockStatement(SecureASTCustomizer.java:737)
at org.codehaus.groovy.ast.stmt.BlockStatement.visit(BlockStatement.java:69)
at org.codehaus.groovy.control.customizers.SecureASTCustomizer.call(SecureASTCustomizer.java:552)
at org.codehaus.groovy.control.CompilationUnit.
applyToPrimaryClassNodes(CompilationUnit.java:1047) at
org.codehaus.groovy.control.CompilationUnit.doPhaseOperation(CompilationUnit.java:583)
at org.codehaus.groovy.control.CompilationUnit.processPhaseOperations(CompilationUnit.java:561)
at org.codehaus.groovy.control.CompilationUnit.compile(CompilationUnit.java:538)
at groovy.lang.GroovyClassLoader.doParseClass(GroovyClassLoader.java:286)
at groovy.lang.GroovyClassLoader.parseClass(GroovyClassLoader.java:259)
at groovy.lang.GroovyClassLoader.parseClass(GroovyClassLoader.java:245)
at groovy.lang.GroovyClassLoader.parseClass(GroovyClassLoader.java:203)
at org.elasticsearch.script.groovy.GroovyScriptEngineService.compile(
GroovyScriptEngineService.java:119) at org.elasticsearch.script.
ScriptService.getCompiledScript(ScriptService.java:353) at
org.elasticsearch.script.ScriptService.compile(ScriptService.java:339)
at org.elasticsearch.script.ScriptService.search(ScriptService.java:475)
at org.elasticsearch.search.aggregations.support.ValuesSourceParser.
createScript(ValuesSourceParser.java:193) at org.elasticsearch.search.
aggregations.support.ValuesSourceParser.config(ValuesSourceParser.java:153)
at org.elasticsearch.search.aggregations.bucket.terms.
TermsParser.parse(TermsParser.java:57) at org.elasticsearch.search.
aggregations.AggregatorParsers.parseAggregators(AggregatorParsers.java:130)
at org.elasticsearch.search.aggregations.AggregatorParsers.
parseAggregators(AggregatorParsers.java:120) at
org.elasticsearch.search.aggregations.AggregatorParsers.
parseAggregators(AggregatorParsers.java:77) at
org.elasticsearch.search.aggregations.AggregationParseElement.parse(
AggregationParseElement.java:60) at org.elasticsearch.search.
SearchService.parseSource(SearchService.java:665) at
org.elasticsearch.search.SearchService.createContext(SearchService.java:537)
at org.elasticsearch.search.SearchService.createAndPutContext(SearchService.java:509)
at org.elasticsearch.search.SearchService.executeQueryPhase(SearchService.java:264)
at org.elasticsearch.search.action.SearchServiceTransportAction$
5.call(SearchServiceTransportAction.java:231) at
org.elasticsearch.search.action.SearchServiceTransportAction$5.call(
SearchServiceTransportAction.java:228) at org.elasticsearch.search.
action.SearchServiceTransportAction$23.run(
SearchServiceTransportAction.java:559) at java.util.concurrent.
ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745) 1 error ]];
}{[-Li6K0zKQnW-QBA1Y7xblQ][log-2014-03][0]: RemoteTransportException[[
sql1][inet[/10.16.75.3:9300]][indices:data/read/search[phase/query]]];
Le mercredi 10 décembre 2014 11:06:37 UTC+1, Jörg Prante a écrit :
Can you post the security exception?
Jörg
On Wed, Dec 10, 2014 at 11:02 AM, Dunaeth lomig...@gmail.com wrote:
Hi,
With ES 1.4, the default scripting language switched from mvel to
groovy. We were using script fields in our queries like
«String.format('%02d',doc.date.date.monthOfYear)», is there a way to
achieve the same result using groovy ? ATM, we're experiencing security
exceptions, method calls not allowed.
--
You received this message because you are subscribed to the Google
Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to elasticsearc...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/
msgid/elasticsearch/d9afcc9a-f4a5-411f-9fd2-0c51f44a5f2a%
40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/d9afcc9a-f4a5-411f-9fd2-0c51f44a5f2a%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to elasticsearc...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/ce3d5233-d0cb-41a5-8797-92fa3275fb26%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/ce3d5233-d0cb-41a5-8797-92fa3275fb26%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/4772fb46-74cf-438d-ab2f-19c4eacdc995%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.