Set a maximum depth for nested queries

[kkhatua]

Is your feature request related to a problem? Please describe.
A recent review of the dependency libraries showed that CVE-2020-36518 (jackson-databind) can lead to creation of a large depth of nested objects and potentially cause a stack overflow.

Describe the solution you'd like
While the immediate fix is upgrading the affected library to a patched version of the library (#2599) we need to constrain this depth in general. This would be the fastest mitigation to protect against other possible vulnerabilities that can be exploited like this through other means, or even by accidental generation through a script.

Describe alternatives you've considered
None. Introduction of a max limit (cluster level setting) would be sufficient to address the issue in general, in context of exploits and in the context of rogue queries generated by accident.

Additional context
None

[dblock]

Since #2599 was merged and backported to 2.x, 1.x (please check whether it was released as part of 1.3.2 and 2.0-rc1), do I correctly understand that while we don't have to add a limit for this particular problem, we want it for general hygiene to avoid similar issues in the future?

[kkhatua]

Since #2599 was merged and backported to 2.x, 1.x (please check whether it was released as part of 1.3.2 and 2.0-rc1), do I correctly understand that while we don't have to add a limit for this particular problem, we want it for general hygiene to avoid similar issues in the future?

Yes, that is correct. Having a parameter-based limit allows for mitigating the risk.

[warmachinesocial]

Hi team, I'm very new this project and I would like to ask you if you could tell the best way to begin and get to know general overview of it (architecture). I didn't jackson was a parser for java until now, I would like to ask on jackson-databind what is really is? I did some googling but don't know about the underneath of the library

[divyam-agarwal]

Hi, I would like to take this up. Could you please assign me this issue?

[anasalkouz]

Hi @divyam-agarwal, it has been a while since your last comment, are you actively working on this?

[MansiShinde]

Hi @sejli, I would like to take up this issue as a part of OSCI. Could you please assign it to me? Thanks!

[mkhludnev]

Q: Should we also check depth of nested scopes in mapping? documents?
A: ok. already have index.mapping.nested_objects.limit, index.mapping.nested_objects.limit

[mkhludnev]

Please have a look at #11670 There are no docs, and I'm hesitating about naming.

[mkhludnev]

documentation opensearch-project/documentation-website#6346, opensearch-project/documentation-website#6347