Scripting: enable regular expressions by default #63029
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Setting `script.painless.regex.enabled` has a new option, `use-factor`, the default. This defaults to using regular expressions but limiting the complexity of the regular expressions. In addition to `use-factor`, the setting can be `true`, as before, which enables regular expressions without limiting them. `false` totally disables regular expressions, which was the old default. * New setting `script.painless.regex.limit-factor`. This limits regular expression complexity by limiting the number characters a regular expression can consider based on input length. The default is `6`, so a regular expression can consider `6` * input length number of characters. With input `foobarbaz` (length `9`), for example, the regular expression can consider `54` (`6 * 9`) characters. This reduces the impact of exponential backtracking in Java's regular expression engine. * add `@inject_constant` annotation to whitelist. This annotation signals that a compiler settings will be injected at the beginning of a whitelisted method. The format is `argnum=settingname`: `1=foo_setting 2=bar_setting`. Argument numbers must start at one and must be sequential. * Augment `Pattern.split(CharSequence)` `Pattern.split(CharSequence, int)`, `Pattern.splitAsStream(CharSequence)` `Pattern.matcher(CharSequence)` to take the value of `script.painless.regex.limit-factor` as a an injected parameter, limiting as explained above when this setting is in use. Fixes: elastic#49873
stu-elastic
added
>enhancement
:Core/Infra/Scripting
rjernst
requested changes
Sep 29, 2020
There was a problem hiding this comment.
I just have a few high level comments mostly. First is on the naming. "use-factor" is pretty cryptic. Can we use something like "limited"? This flows nicely to me. If I ask the question "are regexes enabled?" the answer true/false/limited. Second, it seems there are quite a few TODOs leftover that can probably be removed? If they are to be left in then please expand on them and/or create an issue so someone else on the team could understand what needs to be done.
| @@ -58,6 +58,7 @@ class java.util.regex.Matcher { | |||
| String replaceFirst(String) | |||
| boolean requireEnd() | |||
| Matcher reset() | |||
| # Whitelisting Matcher.reset(String) works around the regex limiting | |||
There was a problem hiding this comment.
Since we don't actually whitelist this method, I think this is just a comment to note if we did allow that method it would allow escaping the regex limiting? Could you clarify the comment?
There was a problem hiding this comment.
Updated comment.
| @@ -66,6 +66,8 @@ public ScriptScope(PainlessLookup painlessLookup, CompilerSettings compilerSetti | |||
| staticConstants.put("$SOURCE", scriptSource); | |||
| staticConstants.put("$DEFINITION", painlessLookup); | |||
| staticConstants.put("$FUNCTIONS", functionTable); | |||
| // TODO(stu): inject compiler settings here | |||
There was a problem hiding this comment.
Yup, these and all the left over todos were why this was initially a draft. They are gone now.
| @@ -211,7 +211,7 @@ protected void injectStaticFieldsAndGetters() { | |||
| irLoadFieldMemberNode.setLocation(internalLocation); | |||
| irLoadFieldMemberNode.setExpressionType(String.class); | |||
| irLoadFieldMemberNode.setName("$NAME"); | |||
| irLoadFieldMemberNode.setStatic(true); | |||
| irLoadFieldMemberNode.setStatic(true); // TODO(stu): add $COMPILER_INJECTS, add hash map and set it | |||
| if (arguments.containsKey(argNum) == false) { | ||
| throw new IllegalArgumentException("[@inject_constant] missing argument number [" + argNum + "]"); | ||
| } | ||
| // TODO(stu): Jack, how do I verify against CompilerSettings. |
There was a problem hiding this comment.
Todos like this are very cryptic. Can we just have a normal comment if some explanation is needed?
There was a problem hiding this comment.
Removed when draft.
| import java.util.Collections; | ||
| import java.util.List; | ||
|
|
||
| public class InjectConstantAnnotation { |
There was a problem hiding this comment.
Can we have some basic java docs on this?
|
Pinging @elastic/es-core-infra (:Core/Infra/Scripting) |
|
@stu-elastic One note is we need to ensure we support the operators ==~ and =~ in the BinaryMathNode.write method. Apologies as I dropped the ball on this one. |
stu-elastic
added a commit
to stu-elastic/elasticsearch
that referenced
this pull request
Oct 5, 2020
* Setting `script.painless.regex.enabled` has a new option, `use-factor`, the default. This defaults to using regular expressions but limiting the complexity of the regular expressions. In addition to `use-factor`, the setting can be `true`, as before, which enables regular expressions without limiting them. `false` totally disables regular expressions, which was the old default. * New setting `script.painless.regex.limit-factor`. This limits regular expression complexity by limiting the number characters a regular expression can consider based on input length. The default is `6`, so a regular expression can consider `6` * input length number of characters. With input `foobarbaz` (length `9`), for example, the regular expression can consider `54` (`6 * 9`) characters. This reduces the impact of exponential backtracking in Java's regular expression engine. * add `@inject_constant` annotation to whitelist. This annotation signals that a compiler settings will be injected at the beginning of a whitelisted method. The format is `argnum=settingname`: `1=foo_setting 2=bar_setting`. Argument numbers must start at one and must be sequential. * Augment `Pattern.split(CharSequence)` `Pattern.split(CharSequence, int)`, `Pattern.splitAsStream(CharSequence)` `Pattern.matcher(CharSequence)` to take the value of `script.painless.regex.limit-factor` as a an injected parameter, limiting as explained above when this setting is in use. Fixes: elastic#49873
stu-elastic
added a commit
that referenced
this pull request
Oct 5, 2020
* Setting `script.painless.regex.enabled` has a new option, `use-factor`, the default. This defaults to using regular expressions but limiting the complexity of the regular expressions. In addition to `use-factor`, the setting can be `true`, as before, which enables regular expressions without limiting them. `false` totally disables regular expressions, which was the old default. * New setting `script.painless.regex.limit-factor`. This limits regular expression complexity by limiting the number characters a regular expression can consider based on input length. The default is `6`, so a regular expression can consider `6` * input length number of characters. With input `foobarbaz` (length `9`), for example, the regular expression can consider `54` (`6 * 9`) characters. This reduces the impact of exponential backtracking in Java's regular expression engine. * add `@inject_constant` annotation to whitelist. This annotation signals that a compiler settings will be injected at the beginning of a whitelisted method. The format is `argnum=settingname`: `1=foo_setting 2=bar_setting`. Argument numbers must start at one and must be sequential. * Augment `Pattern.split(CharSequence)` `Pattern.split(CharSequence, int)`, `Pattern.splitAsStream(CharSequence)` `Pattern.matcher(CharSequence)` to take the value of `script.painless.regex.limit-factor` as a an injected parameter, limiting as explained above when this setting is in use. Fixes: #49873 Backport of: 93f29a4
nik9000
added a commit
to nik9000/elasticsearch
that referenced
this pull request
Oct 20, 2020
Now that we've got regexes enabled by default (elastic#63029) this adds a test to runtime fields just to make sure that it works with regexes. It does, but this adds a test to make sure it continues to work.
nik9000
added a commit
that referenced
this pull request
Oct 20, 2020
Now that we've got regexes enabled by default (#63029) this adds a test to runtime fields just to make sure that it works with regexes. It does, but this adds a test to make sure it continues to work.
nik9000
added a commit
to nik9000/elasticsearch
that referenced
this pull request
Oct 20, 2020
Now that we've got regexes enabled by default (elastic#63029) this adds a test to runtime fields just to make sure that it works with regexes. It does, but this adds a test to make sure it continues to work.
nik9000
added a commit
that referenced
this pull request
Oct 20, 2020
pugnascotia
pushed a commit
to pugnascotia/elasticsearch
that referenced
this pull request
Oct 21, 2020
Now that we've got regexes enabled by default (elastic#63029) this adds a test to runtime fields just to make sure that it works with regexes. It does, but this adds a test to make sure it continues to work.
jrodewig
added a commit
that referenced
this pull request
Aug 4, 2021
elasticsearchmachine
pushed a commit
to elasticsearchmachine/elasticsearch
that referenced
this pull request
Aug 4, 2021
Documents the `script.painless.regex.enabled` and `script.painless.regex.limit-factor` cluster settings. Relates to elastic#63029. Closes elastic#75199.
elasticsearchmachine
pushed a commit
to elasticsearchmachine/elasticsearch
that referenced
this pull request
Aug 4, 2021
Documents the `script.painless.regex.enabled` and `script.painless.regex.limit-factor` cluster settings. Relates to elastic#63029. Closes elastic#75199.
elasticsearchmachine
pushed a commit
to elasticsearchmachine/elasticsearch
that referenced
this pull request
Aug 4, 2021
Documents the `script.painless.regex.enabled` and `script.painless.regex.limit-factor` cluster settings. Relates to elastic#63029. Closes elastic#75199.
elasticsearchmachine
pushed a commit
to elasticsearchmachine/elasticsearch
that referenced
this pull request
Aug 4, 2021
Documents the `script.painless.regex.enabled` and `script.painless.regex.limit-factor` cluster settings. Relates to elastic#63029. Closes elastic#75199.
elasticsearchmachine
pushed a commit
to elasticsearchmachine/elasticsearch
that referenced
this pull request
Aug 4, 2021
Documents the `script.painless.regex.enabled` and `script.painless.regex.limit-factor` cluster settings. Relates to elastic#63029. Closes elastic#75199.
elasticsearchmachine
added a commit
that referenced
this pull request
Aug 4, 2021
elasticsearchmachine
added a commit
that referenced
this pull request
Aug 4, 2021
elasticsearchmachine
added a commit
that referenced
this pull request
Aug 4, 2021
jrodewig
added a commit
that referenced
this pull request
Aug 4, 2021
elasticsearchmachine
added a commit
that referenced
this pull request
Aug 4, 2021
jrodewig
added a commit
that referenced
this pull request
Aug 4, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Setting
script.painless.regex.enabledhas a new option,limited, the default. This defaults to using regularexpressions but limiting the complexity of the regular
expressions.
In addition to
limited, the setting can betrue, asbefore, which enables regular expressions without limiting them.
falsetotally disables regular expressions, which was theold default.
New setting
script.painless.regex.limit-factor. This limitsregular expression complexity by limiting the number characters
a regular expression can consider based on input length.
The default is
6, so a regular expression can consider6* input length number of characters. With inputfoobarbaz(length9), for example, the regular expressioncan consider
54(6 * 9) characters.This reduces the impact of exponential backtracking in Java's
regular expression engine.
add
@inject_constantannotation to whitelist.This annotation signals that a compiler settings will
be injected at the beginning of a whitelisted method.
The format is
argnum=settingname:1=foo_setting 2=bar_setting.Argument numbers must start at one and must be sequential.
Augment
Pattern.split(CharSequence)Pattern.split(CharSequence, int),Pattern.splitAsStream(CharSequence)Pattern.matcher(CharSequence)to take the value of
script.painless.regex.limit-factoras aan injected parameter, limiting as explained above when this
setting is in use.
Fixes: #49873