Add multi-index comma-separated source FGAC bypass tests

finnegancarroll · finnegancarroll · commit 9de2f9d5e778 · 2026-06-24T16:21:48.000-07:00
Regression tests for authorization bypass where PPL multi-index queries
(source = idx1, idx2) only evaluated permissions on the first index,
allowing unauthorized access to subsequent indices.

Tests cover:
- Authorized index first, unauthorized second (the bypass vector)
- Backtick-quoted variant of the same
- Unauthorized index first (control: should be denied)
- Both indices authorized (positive case)

Signed-off-by: Finnegan Carroll &lt;carrofin@amazon.com&gt;
Signed-off-by: Finn Carroll &lt;carrofin@amazon.com&gt;
diff --git a/integ-test/build.gradle b/integ-test/build.gradle
@@ -151,7 +151,8 @@ ext {
             'plugins.security.enable_snapshot_restore_privilege' : 'true',
             'plugins.security.check_snapshot_restore_write_privileges' : 'true',
             'plugins.security.restapi.roles_enabled' : '["all_access", "security_rest_api_access"]',
-            'plugins.security.system_indices.enabled' : 'true'
+            'plugins.security.system_indices.enabled' : 'true',
+            'cluster.pluggable.dataformat' : 'composite'
         ].forEach { name, value ->
             cluster.setting name, value
         }
@@ -502,11 +503,11 @@ testClusters.analyticsEngineSecurityIT {
     plugin(getJobSchedulerPlugin())
     plugin(getArrowBasePlugin())
     plugin(getArrowFlightRpcPlugin())
+    plugin(getCompositeEnginePlugin())
     plugin(getAnalyticsEnginePlugin())
     plugin(getAnalyticsBackendLucenePlugin())
     plugin(getAnalyticsBackendDatafusionPlugin())
     plugin(getParquetDataFormatPlugin())
-    plugin(getCompositeEnginePlugin())
     plugin ":opensearch-sql-plugin"
     // Arrow Flight / streaming transport requirements
     jvmArgs '--add-opens=java.base/java.nio=ALL-UNNAMED'
diff --git a/integ-test/src/test/java/org/opensearch/sql/security/AnalyticsEngineSecurityIT.java b/integ-test/src/test/java/org/opensearch/sql/security/AnalyticsEngineSecurityIT.java
@@ -122,9 +122,7 @@ private void createCompositeIndex(String index) throws IOException {
           {
             "settings": {
               "number_of_shards": 1,
-              "number_of_replicas": 0,
-              "index.pluggable.dataformat.enabled": true,
-              "index.pluggable.dataformat": "composite"
+              "number_of_replicas": 0
             }
           }
           """);
@@ -393,6 +391,68 @@ public void testPPLQueryWithWildcardIndexPartialAccessDenied() throws IOExceptio
     assertEquals(403, e.getResponse().getStatusLine().getStatusCode());
   }
 
+  // --- Multi-index comma-separated source tests (CVE: authorization bypass) ---
+
+  @Test
+  public void testPPLMultiIndexDeniedWhenSecondIndexUnauthorized() throws IOException {
+    // ALLOWED_USER has access to TEST_INDEX but NOT FORBIDDEN_INDEX.
+    // A comma-separated source listing an authorized index first followed by an unauthorized
+    // index must be denied. Regression: previously only the first index was checked.
+    ResponseException e =
+        assertThrows(
+            ResponseException.class,
+            () ->
+                executePPLAsUser(
+                    "source = " + TEST_INDEX + ", " + FORBIDDEN_INDEX + " | fields name, age",
+                    ALLOWED_USER));
+    assertEquals(403, e.getResponse().getStatusLine().getStatusCode());
+  }
+
+  @Test
+  public void testPPLMultiIndexDeniedWithBackticksAuthorizedFirst() throws IOException {
+    // Same bypass vector using backtick-quoted index names.
+    ResponseException e =
+        assertThrows(
+            ResponseException.class,
+            () ->
+                executePPLAsUser(
+                    "source = `" + TEST_INDEX + "`, `" + FORBIDDEN_INDEX + "` | fields name, age",
+                    ALLOWED_USER));
+    assertEquals(403, e.getResponse().getStatusLine().getStatusCode());
+  }
+
+  @Test
+  public void testPPLMultiIndexDeniedWithUnauthorizedFirst() throws IOException {
+    // Unauthorized index listed first — should also be denied.
+    ResponseException e =
+        assertThrows(
+            ResponseException.class,
+            () ->
+                executePPLAsUser(
+                    "source = " + FORBIDDEN_INDEX + ", " + TEST_INDEX + " | fields name, age",
+                    ALLOWED_USER));
+    assertEquals(403, e.getResponse().getStatusLine().getStatusCode());
+  }
+
+  @Test
+  public void testPPLMultiIndexAllowedWhenAllAuthorized() throws IOException {
+    // ALLOWED_USER has access to TEST_INDEX. TEST_INDEX_2 is also covered by the
+    // wildcard user's pattern but let's use allowed_user with both permitted indices.
+    // Use WILDCARD_USER who has "analytics_security*" covering both TEST_INDEX and TEST_INDEX_2.
+    try {
+      JSONObject result =
+          executePPLAsUser(
+              "source = " + TEST_INDEX + ", " + TEST_INDEX_2 + " | fields name, age",
+              WILDCARD_USER);
+      assertTrue("Expected datarows in response", result.has("datarows"));
+    } catch (ResponseException e) {
+      assertNotEquals(
+          "Expected auth to pass (not 403) when all indices are authorized",
+          403,
+          e.getResponse().getStatusLine().getStatusCode());
+    }
+  }
+
   @Test
   public void testSQLQueryAllowedForAuthorizedUser() throws IOException {
     try {
