add validation check for doc level query name during monitor creation

Signed-off-by: Joanne Wang <[email protected]>

Author: jowg-amazon

alerting/src/main/kotlin/org/opensearch/alerting/resthandler/RestIndexMonitorAction.kt

@@ -16,6 +16,7 @@ import org.opensearch.commons.alerting.action.AlertingActions
 import org.opensearch.commons.alerting.action.IndexMonitorRequest
 import org.opensearch.commons.alerting.action.IndexMonitorResponse
 import org.opensearch.commons.alerting.model.BucketLevelTrigger
+import org.opensearch.commons.alerting.model.DocLevelMonitorInput
 import org.opensearch.commons.alerting.model.DocumentLevelTrigger
 import org.opensearch.commons.alerting.model.Monitor
 import org.opensearch.commons.alerting.model.QueryLevelTrigger
@@ -46,6 +47,11 @@ private val log = LogManager.getLogger(RestIndexMonitorAction::class.java)
  */
 class RestIndexMonitorAction : BaseRestHandler() {
 
+    // allowed characters [- : , ( ) [ ] ' _]
+    private val allowedChars = "-:,\\(\\)\\[\\]\'_"
+    // regex to restrict string to alphanumeric and allowed chars, must be between 1 - 256 characters
+    val regex = "[\\w\\s$allowedChars]{1,256}"
+
     override fun getName(): String {
         return "index_monitor_action"
     }
@@ -116,9 +122,11 @@ class RestIndexMonitorAction : BaseRestHandler() {
                     if (it !is DocumentLevelTrigger) {
                         throw IllegalArgumentException("Illegal trigger type, ${it.javaClass.name}, for document level monitor")
                     }
+                    validateDocLevelQueryName(monitor)
                 }
             }
         }
+
         val seqNo = request.paramAsLong(IF_SEQ_NO, SequenceNumbers.UNASSIGNED_SEQ_NO)
         val primaryTerm = request.paramAsLong(IF_PRIMARY_TERM, SequenceNumbers.UNASSIGNED_PRIMARY_TERM)
         val refreshPolicy = if (request.hasParam(REFRESH)) {
@@ -133,6 +141,19 @@ class RestIndexMonitorAction : BaseRestHandler() {
         }
     }
 
+    private fun validateDocLevelQueryName(monitor: Monitor) {
+        monitor.inputs.filterIsInstance<DocLevelMonitorInput>().forEach { docLevelMonitorInput ->
+            docLevelMonitorInput.queries.forEach { dlq ->
+                if (!dlq.name.matches(Regex(regex))) {
+                    throw IllegalArgumentException(
+                        "Doc level query name, ${dlq.name}, may only contain alphanumeric values and " +
+                            "these special characters: ${allowedChars.replace("\\","")}"
+                    )
+                }
+            }
+        }
+    }
+
     private fun validateDataSources(monitor: Monitor) { // Data Sources will currently be supported only at transport layer.
         if (monitor.dataSources != null) {
             if (

alerting/src/test/kotlin/org/opensearch/alerting/resthandler/MonitorRestApiIT.kt

@@ -26,6 +26,8 @@ import org.opensearch.alerting.randomAnomalyDetector
 import org.opensearch.alerting.randomAnomalyDetectorWithUser
 import org.opensearch.alerting.randomBucketLevelMonitor
 import org.opensearch.alerting.randomBucketLevelTrigger
+import org.opensearch.alerting.randomDocLevelMonitorInput
+import org.opensearch.alerting.randomDocLevelQuery
 import org.opensearch.alerting.randomDocumentLevelMonitor
 import org.opensearch.alerting.randomDocumentLevelTrigger
 import org.opensearch.alerting.randomQueryLevelMonitor
@@ -1285,6 +1287,48 @@ class MonitorRestApiIT : AlertingRestTestCase() {
         }
     }
 
+    fun `test creating and updating a document monitor with invalid query name`() {
+        // creating a monitor with an invalid query name
+        val invalidQueryName = "Invalid @ query ! name"
+        val queries = listOf(randomDocLevelQuery(name = invalidQueryName))
+        val randomDocLevelMonitorInput = randomDocLevelMonitorInput(queries = queries)
+        val inputs = listOf(randomDocLevelMonitorInput)
+        val trigger = randomDocumentLevelTrigger()
+        var monitor = randomDocumentLevelMonitor(inputs = inputs, triggers = listOf(trigger))
+
+        try {
+            client().makeRequest("POST", ALERTING_BASE_URI, emptyMap(), monitor.toHttpEntity())
+            fail("Doc level monitor with invalid query name should be rejected")
+        } catch (e: ResponseException) {
+            assertEquals("Unexpected status", RestStatus.BAD_REQUEST, e.response.restStatus())
+            val expectedMessage = "Doc level query name, $invalidQueryName, may only contain alphanumeric values"
+            e.message?.let { assertTrue(it.contains(expectedMessage)) }
+        }
+
+        // successfully creating monitor with valid query name
+        val testIndex = createTestIndex()
+        val docQuery = DocLevelQuery(query = "test_field:\"us-west-2\"", name = "valid name", fields = listOf())
+        val docLevelInput = DocLevelMonitorInput("description", listOf(testIndex), listOf(docQuery))
+
+        monitor = createMonitor(randomDocumentLevelMonitor(inputs = listOf(docLevelInput), triggers = listOf(trigger)))
+
+        // updating monitor with invalid query name
+        val updatedDocQuery = DocLevelQuery(query = "test_field:\"us-west-2\"", name = invalidQueryName, fields = listOf())
+        val updatedDocLevelInput = DocLevelMonitorInput("description", listOf(testIndex), listOf(updatedDocQuery))
+
+        try {
+            client().makeRequest(
+                "PUT", monitor.relativeUrl(),
+                emptyMap(), monitor.copy(inputs = listOf(updatedDocLevelInput)).toHttpEntity()
+            )
+            fail("Doc level monitor with invalid query name should be rejected")
+        } catch (e: ResponseException) {
+            assertEquals("Unexpected status", RestStatus.BAD_REQUEST, e.response.restStatus())
+            val expectedMessage = "Doc level query name, $invalidQueryName, may only contain alphanumeric values"
+            e.message?.let { assertTrue(it.contains(expectedMessage)) }
+        }
+    }
+
     /**
      * This use case is needed by the frontend plugin for displaying alert counts on the Monitors list page.
      * https://github.com/opensearch-project/alerting-dashboards-plugin/blob/main/server/services/MonitorService.js#L235