Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Backport PR #15720 to 8.12: Add system properties to configure Jackson's stream read constraints #15763

Merged
merged 1 commit into from
Jan 8, 2024
Merged

Backport PR #15720 to 8.12: Add system properties to configure Jackson's stream read constraints #15763

merged 1 commit into from
Jan 8, 2024

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Jan 8, 2024

Backport PR #15720 to 8.12 branch, original message:

Release notes

Added jvm.options properties to configure the Jackson read constraints defaults (Maximum Number value length, Maximum String value length, and Maximum Nesting depth).

What does this PR do?

This PR adds 3 new custom system properties into the jvm.options. Those new properties are used to fine-tune the default Jackson stream read constraints values, which are used by Jackson to guard against malicious input by preventing processing of too big inputs. The added properties can be found here.

The intention of early set the Jackson defaults during the startup (runner.rb) was to ensure that all Logstash's functionalities that rely on Jackson are using those settings values.

Why is it important/What is the impact to the user?

Although the Jackson's defaults works for the majority of users, it might be too restrictive - and a blocker - for pipelines receiving big payload requests or with a deeper level of nested objects.

Having the possibility of tuning those properties is essential to unblock users with that use-case and for a more accurate guard against malicious inputs.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files (and/or docker env variables)
  • I have added tests that prove my fix is effective or that my feature works

How to test this PR locally

  • Set any property value to a lower/higher value, e.g.: -Dlogstash.jackson.stream-read-constraints.max-string-length=2
  • Configure and run a pipeline with a beats input
  • Send any data to this pipeline that exceeds the configured property value
  • Check the logs for: com.fasterxml.jackson.core.exc.StreamConstraintsException: String length (24) exceeds the maximum length (2)

Related issues

@edmocosta @logstashmachine
Add system properties to configure Jackson's stream read constraints (#…
acc0731 
…15720)

This commit added a few jvm.options properties to configure the Jackson read constraints defaults (Maximum Number value length, Maximum String value length, and Maximum Nesting depth).

(cherry picked from commit a21ced0)
@edmocosta edmocosta requested a review from jsvd January 8, 2024 16:49
@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No Coverage information No data about Coverage
No Duplication information No data about Duplication

See analysis details on SonarQube

@elasticmachine
Copy link
Collaborator

elasticmachine commented Jan 8, 2024
edited
Loading

💔 Build Failed

Failed CI Steps

History

jsvd
jsvd approved these changes Jan 8, 2024
View reviewed changes
Copy link
Member

@jsvd jsvd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jsvd jsvd merged commit 21ccd8c into 8.12 Jan 8, 2024
3 of 5 checks passed
@jsvd jsvd deleted the backport_15720_8.12 branch January 8, 2024 17:03
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@jsvd jsvd jsvd approved these changes

Assignees
No one assigned
Labels
backport v8.12.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@elasticmachine @jsvd @roaksoax @edmocosta