Eql requests returns data even though they aren’t allowed

Hello,

we have readonlyRest Pro and elasticsearch in this configuration:
elasticsearch version: 8.14.1
ROR version 1.60.0

Now, I will create two indices:

PUT index1/_doc/1
{
  "content": "index1-data-1"
}

PUT index2/_doc/1
{
  "content": "index2-data-1"
}

In readonlyrest config I have set up this block, to allow user “eqltest” to read data only from index1:

    - name: "::Other - eqltest::" 
      auth_key: "eqltest:jabadaba"
      actions: ["indices:monitor/settings/get","cluster:monitor/main","cluster:monitor/nodes/stats","cluster:monitor/nodes/info","cluster:monitor/state","indices:monitor/stats","indices:admin/types/exists","indices:data/read/*","indices:admin/template/*","indices:admin/mappings/get"]
      indices: ["index1"]

Default policy is block all request. We have no other block in config that should allow this user to read anything else.

Now there are 4 examples of API requests:

Case 1: standard search for index1, that should be allowed: OK

curl -u eqltest:jabadaba -XGET "https://my-elastic-node-url:9200/index1/_search" -H "Content-Type: application/json" -d'
{
  "query": {
    "match_all": {}
  }
}'
# RETURNS:
{"took":18,"timed_out":false,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":1,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"index1","_id":"1","_score":1.0,"_source":{
 "content": "index1-data-1"
}
# Which is ok, it has access, and it returns data

Case 2: standard search for index2, that should be filtered: OK

curl -u eqltest:jabadaba -XGET "https://my-elastic-node-url:9200/index2/_search" -H "Content-Type: application/json" -d'
{
  "query": {
    "match_all": {}
  }
}'
# RETURNS:
{"error":{"root_cause":[{"type":"index_not_found_exception","reason":"no such index [index2_ROR_qUrbUjCe5e]","resource.type":"index_or_alias","resource.id":"index2_ROR_qUrbUjCe5e","index_uuid":"_na_","index":"index2_ROR_qUrbUjCe5e"}],"type":"index_not_found_exception","reason":"no such index [index2_ROR_qUrbUjCe5e]","resource.type":"index_or_alias","resource.id":"index2_ROR_qUrbUjCe5e","index_uuid":"_na_","index":"index2_ROR_qUrbUjCe5e"},"status":404}
# Which is ok, it does not have acces, it returns index_not_found_exception

Case 3: eql search for index1, that should be allowed: OK

curl -u eqltest:jabadaba -XPOST -d '{                                                                                           
  "query": 
  "from index1 | limit 10"
}' -H 'Accept: text/csv; charset=utf-8' -H 'Content-Type: application/json' 'https://my-elastic-node-url:9200/_query?format=csv'

# RETURNS:
content,content.keyword
index1-data-1,index1-data-1
# Which is ok, it has access, and it returns data

Case 4: eql search for index2, that should be filtered: PROBLEM

curl -u eqltest:jabadaba -XPOST -d '{                                                                                           
  "query": 
  "from index2 | limit 10"
}' -H 'Accept: text/csv; charset=utf-8' -H 'Content-Type: application/json' 'https://my-elastic-node-url:9200/_query?format=csv'

# RETURNS:
content,content.keyword
index2-data-1,index2-data-1
# Which is NOT OK, as it should be filtered.. but it returns data!

This last case 4 should not return a real data. From my tests, I found out that if there is any block in readonlyrest that will allow user “eqltest” to read at least one index, eql search will be allowed by this block and will be able to read any data from any index in elasticsearch. If user eqltest has no allow block in readonlyrest at all, the request will be blocked as it should be.

Thanks for the detailed report. We will check if ASAP

I confirm the issue.

For now, we recommend to disable ESQL. Eg. by adding this block somewhere at the beginning of ACL:

    - name: "Disable ESQL"
      type: forbid
      actions: ["indices:data/read/esql*"]

We’re working on the fix. We will release immediately after we have it

@pdalak ROR 1.61.1 with the security fix is released. Could you please confirm the problem is gone?

Hello, yes it works as it should now. Thank you.

1 Like

Thanks for the bug report and your tests.