REST API: Allow to configure JSONP/callback support

Added the http.jsonp.enable option to configure disabling of JSONP responses, as those might pose a security risk, and can be disabled if unused. This also fixes bugs in NettyHttpChannel * JSONP responses were never setting application/javascript as the content-type * The content-type and content-length headers were being overwritten even if they were set before Closes elastic#6164

Author: Fitblip

config/elasticsearch.yml

@@ -375,3 +375,11 @@
 #monitor.jvm.gc.old.warn: 10s
 #monitor.jvm.gc.old.info: 5s
 #monitor.jvm.gc.old.debug: 2s
+
+################################## Security ################################
+
+# Uncomment if you want to disable JSONP as a valid return transport on the
+# http server. With this enabled, it may pose a security risk, so disabling
+# it unless you need it is recommended.
+#
+#http.jsonp.enable: false

docs/reference/api-conventions.asciidoc

@@ -241,8 +241,17 @@ document indexed.
 [float]
 === JSONP
 
-All REST APIs accept a `callback` parameter resulting in a
-http://en.wikipedia.org/wiki/JSONP[JSONP] result.
+By default JSONP resposes are enabled. All REST APIs accept a `callback` parameter
+resulting in a http://en.wikipedia.org/wiki/JSONP[JSONP] result. You can disable
+this behavior by adding the following to `config.yaml`:
+
+ http.jsonp.enable: false
+
+Please note, due to the architecture of Elasticsearch, this may pose a security
+risk. Under some circumstances, an attacker may be able to exfiltrate data in your
+Elasticsearch server if they're able to force your browser to make a JSONP request
+on your behalf (e.g. by including a <script> tag on an untrusted site with a
+legitimate query against a local Elasticsearch server).
 
 [float]
 === Request body in query string

src/main/java/org/elasticsearch/http/netty/NettyHttpChannel.java

@@ -139,10 +139,20 @@ public void sendResponse(RestResponse response) {
  buffer,
  ChannelBuffers.wrappedBuffer(END_JSONP)
  );
+ // Add content-type header of "application/javascript"
+ resp.headers().add(HttpHeaders.Names.CONTENT_TYPE, "application/javascript");
  }
  resp.setContent(buffer);
- resp.headers().add(HttpHeaders.Names.CONTENT_TYPE, response.contentType());
- resp.headers().add(HttpHeaders.Names.CONTENT_LENGTH, String.valueOf(buffer.readableBytes()));
+
+ // If our response doesn't specify a content-type header, set one
+ if (!resp.headers().contains(HttpHeaders.Names.CONTENT_TYPE)) {
+ resp.headers().add(HttpHeaders.Names.CONTENT_TYPE, response.contentType());
+ }
+
+ // If our response has no content-length, calculate and set one
+ if (!resp.headers().contains(HttpHeaders.Names.CONTENT_LENGTH)) {
+ resp.headers().add(HttpHeaders.Names.CONTENT_LENGTH, String.valueOf(buffer.readableBytes()));
+ }
 
  if (transport.resetCookies) {
  String cookieString = nettyRequest.headers().get(HttpHeaders.Names.COOKIE);

src/main/java/org/elasticsearch/rest/RestController.java

@@ -27,6 +27,7 @@
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.path.PathTrie;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.rest.support.RestUtils;
 
 import java.io.IOException;
@@ -35,6 +36,7 @@
 
 import static org.elasticsearch.rest.RestStatus.BAD_REQUEST;
 import static org.elasticsearch.rest.RestStatus.OK;
+import static org.elasticsearch.rest.RestStatus.FORBIDDEN;
 
 /**
  *
@@ -137,6 +139,20 @@ public RestFilterChain filterChain(RestFilter executionFilter) {
  }
 
  public void dispatchRequest(final RestRequest request, final RestChannel channel) {
+ // If JSONP is disabled and someone sends a callback parameter we should bail out before querying
+ if (!settings.getAsBoolean("http.jsonp.enable", true) && request.hasParam("callback")){
+ try {
+ XContentBuilder builder = channel.newBuilder();
+ builder.startObject().field("error","JSONP is disabled.").endObject().string();
+ RestResponse response = new BytesRestResponse(FORBIDDEN, builder);
+ response.addHeader("Content-Type", "application/javascript");
+ channel.sendResponse(response);
+ } catch (IOException e) {
+ logger.warn("Failed to send response", e);
+ return;
+ }
+ return;
+ }
  if (filters.length == 0) {
  try {
  executeHandler(request, channel);

src/test/java/org/elasticsearch/options/jsonp/JsonpOptionDisabledTest.java

@@ -0,0 +1,59 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.options.jsonp;
+
+import org.elasticsearch.common.settings.ImmutableSettings;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.http.HttpServerTransport;
+import org.elasticsearch.rest.helper.HttpClient;
+import org.elasticsearch.rest.helper.HttpClientResponse;
+import org.elasticsearch.test.ElasticsearchIntegrationTest;
+import org.elasticsearch.test.ElasticsearchIntegrationTest.ClusterScope;
+import org.elasticsearch.test.ElasticsearchIntegrationTest.Scope;
+import org.junit.Test;
+
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.is;
+
+// Test to make sure that our JSONp response is disabled
+@ClusterScope(scope = Scope.TEST, numDataNodes = 1)
+public class JsonpOptionDisabledTest extends ElasticsearchIntegrationTest {
+
+ // Build our cluster settings
+ @Override
+ protected Settings nodeSettings(int nodeOrdinal) {
+ return ImmutableSettings.settingsBuilder()
+ .put("http.jsonp.enable", false)
+ .put(super.nodeSettings(nodeOrdinal))
+ .build();
+ }
+
+ // Make sure our response has both the callback as well as our "JSONP is disabled" message. 
+ @Test
+ public void testThatJSONPisDisabled() throws Exception {
+ // Make the HTTP request
+ HttpServerTransport httpServerTransport = internalCluster().getDataNodeInstance(HttpServerTransport.class);
+ HttpClient httpClient = new HttpClient(httpServerTransport.boundAddress().publishAddress());
+ HttpClientResponse response = httpClient.request("/?callback=DisabledJSONPCallback");
+ assertThat(response.getHeader("Content-Type"), is("application/javascript"));
+ assertThat(response.response(), containsString("DisabledJSONPCallback("));
+ assertThat(response.response(), containsString("JSONP is disabled"));
+ }
+}

src/test/java/org/elasticsearch/options/jsonp/JsonpOptionEnabledTest.java

@@ -0,0 +1,59 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.options.jsonp;
+
+import org.elasticsearch.common.settings.ImmutableSettings;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.http.HttpServerTransport;
+import org.elasticsearch.rest.helper.HttpClient;
+import org.elasticsearch.rest.helper.HttpClientResponse;
+import org.elasticsearch.test.ElasticsearchIntegrationTest;
+import org.elasticsearch.test.ElasticsearchIntegrationTest.ClusterScope;
+import org.elasticsearch.test.ElasticsearchIntegrationTest.Scope;
+import org.junit.Test;
+
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.is;
+
+// Test to make sure that our JSONp response is enabled by default
+@ClusterScope(scope = Scope.TEST, numDataNodes = 1)
+public class JsonpOptionEnabledTest extends ElasticsearchIntegrationTest {
+
+ // Build our cluster settings
+ @Override
+ protected Settings nodeSettings(int nodeOrdinal) {
+ return ImmutableSettings.settingsBuilder()
+ .put("http.jsonp.enable", true)
+ .put(super.nodeSettings(nodeOrdinal))
+ .build();
+ }
+
+ // Make sure our response has both the callback and opening paren, as well as the famous Elasticsearch tagline :)
+ @Test
+ public void testThatJSONPisEnabled() throws Exception {
+ // Make the HTTP request
+ HttpServerTransport httpServerTransport = internalCluster().getDataNodeInstance(HttpServerTransport.class);
+ HttpClient httpClient = new HttpClient(httpServerTransport.boundAddress().publishAddress());
+ HttpClientResponse response = httpClient.request("/?callback=EnabledJSONPCallback");
+ assertThat(response.getHeader("Content-Type"), is("application/javascript"));
+ assertThat(response.response(), containsString("EnabledJSONPCallback("));
+ assertThat(response.response(), containsString("You Know, for Search"));
+ }
+}