Escape pipe character for injected users (#5175) (#5192)

shikharj05 · web-flow · commit 8cf36b2b53f7 · 2025-03-20T10:40:51.000-04:00
Signed-off-by: shikharj05 &lt;8859327+shikharj05@users.noreply.github.com&gt;
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorImpl.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorImpl.java
@@ -111,6 +111,7 @@
 
 import static org.opensearch.security.OpenSearchSecurityPlugin.traceAction;
 import static org.opensearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT;
+import static org.opensearch.security.support.SecurityUtils.escapePipe;
 
 public class PrivilegesEvaluatorImpl implements PrivilegesEvaluator {
 
@@ -275,12 +276,14 @@ public boolean isInitialized() {
     private void setUserInfoInThreadContext(User user) {
         if (threadContext.getTransient(OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT) == null) {
             StringJoiner joiner = new StringJoiner("|");
-            joiner.add(user.getName());
-            joiner.add(String.join(",", user.getRoles()));
-            joiner.add(String.join(",", user.getSecurityRoles()));
+            // Escape any pipe characters in the values before joining
+            joiner.add(escapePipe(user.getName()));
+            joiner.add(escapePipe(String.join(",", user.getRoles())));
+            joiner.add(escapePipe(String.join(",", user.getSecurityRoles())));
+
             String requestedTenant = user.getRequestedTenant();
             if (!Strings.isNullOrEmpty(requestedTenant)) {
-                joiner.add(requestedTenant);
+                joiner.add(escapePipe(requestedTenant));
             }
             threadContext.putTransient(OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT, joiner.toString());
         }
diff --git a/src/main/java/org/opensearch/security/privileges/legacy/PrivilegesEvaluatorImpl.java b/src/main/java/org/opensearch/security/privileges/legacy/PrivilegesEvaluatorImpl.java
@@ -109,6 +109,7 @@
 
 import static org.opensearch.security.OpenSearchSecurityPlugin.traceAction;
 import static org.opensearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT;
+import static org.opensearch.security.support.SecurityUtils.escapePipe;
 
 public class PrivilegesEvaluatorImpl implements PrivilegesEvaluator {
 
@@ -245,12 +246,14 @@ public boolean isInitialized() {
     private void setUserInfoInThreadContext(User user) {
         if (threadContext.getTransient(OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT) == null) {
             StringJoiner joiner = new StringJoiner("|");
-            joiner.add(user.getName());
-            joiner.add(String.join(",", user.getRoles()));
-            joiner.add(String.join(",", user.getSecurityRoles()));
+            // Escape any pipe characters in the values before joining
+            joiner.add(escapePipe(user.getName()));
+            joiner.add(escapePipe(String.join(",", user.getRoles())));
+            joiner.add(escapePipe(String.join(",", user.getSecurityRoles())));
+
             String requestedTenant = user.getRequestedTenant();
             if (!Strings.isNullOrEmpty(requestedTenant)) {
-                joiner.add(requestedTenant);
+                joiner.add(escapePipe(requestedTenant));
             }
             threadContext.putTransient(OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT, joiner.toString());
         }
diff --git a/src/main/java/org/opensearch/security/support/SecurityUtils.java b/src/main/java/org/opensearch/security/support/SecurityUtils.java
@@ -161,4 +161,12 @@ private static String resolveEnvVar(String envVarName, String mode, boolean bc,
             return bc ? Hasher.hash(envVarValue.toCharArray(), settings) : envVarValue;
         }
     }
+
+    // Helper method to escape pipe characters
+    public static String escapePipe(String input) {
+        if (input == null) {
+            return "";
+        }
+        return input.replace("|", "\\|");
+    }
 }
diff --git a/src/test/java/org/opensearch/security/support/SecurityUtilsTest.java b/src/test/java/org/opensearch/security/support/SecurityUtilsTest.java
@@ -70,4 +70,35 @@ private void checkKeysWithPredicate(Collection<String> keys, String predicateNam
             );
         });
     }
+
+    @Test
+    public void testEscapePipe_NullInput() {
+        assertThat("Null input should return empty string", SecurityUtils.escapePipe(null), equalTo(""));
+    }
+
+    @Test
+    public void testEscapePipe_EmptyString() {
+        assertThat("Empty string should return empty string", SecurityUtils.escapePipe(""), equalTo(""));
+    }
+
+    @Test
+    public void testEscapePipe_StringWithoutPipe() {
+        assertThat("String without pipe should remain unchanged", SecurityUtils.escapePipe("normal string"), equalTo("normal string"));
+    }
+
+    @Test
+    public void testEscapePipe_SinglePipe() {
+        assertThat("Single pipe should be escaped", SecurityUtils.escapePipe("before|after"), equalTo("before\\|after"));
+    }
+
+    @Test
+    public void testEscapePipe_MultiplePipes() {
+        assertThat("Multiple pipes should all be escaped", SecurityUtils.escapePipe("a|b|c"), equalTo("a\\|b\\|c"));
+    }
+
+    @Test
+    public void testEscapePipe_MultiplePipesConsecutive() {
+        assertThat("Consecutive pipes should all be escaped", SecurityUtils.escapePipe("|||"), equalTo("\\|\\|\\|"));
+    }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -161,4 +161,12 @@ private static String resolveEnvVar(String envVarName, String mode, boolean bc,`
`161`	`161`	`return bc ? Hasher.hash(envVarValue.toCharArray(), settings) : envVarValue;`
`162`	`162`	`}`
`163`	`163`	`}`
	`164`	`+`
	`165`	`+ // Helper method to escape pipe characters`
	`166`	`+ public static String escapePipe(String input) {`
	`167`	`+ if (input == null) {`
	`168`	`+ return "";`
	`169`	`+ }`
	`170`	`+ return input.replace("\|", "\\\|");`
	`171`	`+ }`
`164`	`172`	`}`