opensearch-project · cwperks · Aug 19, 2025 · Aug 19, 2025 · Aug 19, 2025
@@ -34,6 +34,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Update OpenTelemetry to 1.53.0 and OpenTelemetry SemConv to 1.34.0 ([#19068](https://github.com/opensearch-project/OpenSearch/pull/19068))
 - Bump `1password/load-secrets-action` from 2 to 3 ([#19100](https://github.com/opensearch-project/OpenSearch/pull/19100))
 - Bump `com.nimbusds:nimbus-jose-jwt` from 10.3 to 10.4.2 ([#19099](https://github.com/opensearch-project/OpenSearch/pull/19099), [#19101](https://github.com/opensearch-project/OpenSearch/pull/19101))
+- Bump netty from 4.1.121.Final to 4.1.124.Final ([#19103](https://github.com/opensearch-project/OpenSearch/pull/19103))
 
 ### Deprecated
 

@@ -33,7 +33,7 @@ json_smart        = "2.5.2"
 # when updating the JNA version, also update the version in buildSrc/build.gradle
 jna               = "5.16.0"
 
-netty             = "4.1.121.Final"
+netty             = "4.1.124.Final"
 joda              = "2.12.7"
 roaringbitmap     = "1.3.0"
 

@@ -0,0 +1 @@
+1e9c299dc908e801b4e041bef1b81cfe0ca0038c
@@ -0,0 +1 @@
+081e66a1586b6ae4f810f297d2b050c968a11658
@@ -0,0 +1 @@
+57d4a06c3241f153410ffec292004fbba87b9695
@@ -0,0 +1 @@
+24f9b9afacb3d79c176d10424890ebd4457ceaf7
@@ -0,0 +1 @@
+46f22130821ee796e347b90693f61d7fc4b2e8a6
@@ -0,0 +1 @@
+13abbd2534e08e60b42829900d2a5d10b9417129
@@ -0,0 +1 @@
+85758b8fd2e75bce01423298592401bf649a5e31
@@ -0,0 +1 @@
+ce4f80c96f32d51659e142237c3ffbc678765e4e
@@ -0,0 +1 @@
+06df613f0356d4de02574507754afb33874a7336
@@ -0,0 +1,68 @@
+diff --git a/modules/lang-mustache/src/main/java/org/opensearch/script/mustache/MustacheScriptEngine.java b/modules/lang-mustache/src/main/java/org/opensearch/script/mustache/MustacheScriptEngine.java
+index 842353fdba3..3d6dca775b7 100644
+--- a/modules/lang-mustache/src/main/java/org/opensearch/script/mustache/MustacheScriptEngine.java
++++ b/modules/lang-mustache/src/main/java/org/opensearch/script/mustache/MustacheScriptEngine.java
+@@ -47,13 +47,16 @@ import org.opensearch.script.ScriptEngine;
+ import org.opensearch.script.ScriptException;
+ import org.opensearch.script.TemplateScript;
+
++import java.io.IOException;
+ import java.io.Reader;
+ import java.io.StringReader;
+ import java.io.StringWriter;
++import java.io.Writer;
+ import java.security.AccessController;
+ import java.security.PrivilegedAction;
+ import java.util.Collections;
+ import java.util.Map;
++import java.util.Objects;
+ import java.util.Set;
+
+ /**
+@@ -110,6 +113,37 @@ public final class MustacheScriptEngine implements ScriptEngine {
+         return NAME;
+     }
+
++    private final class BoundedWriter extends Writer {
++        private final Writer delegate;
++        private final long maxChars;
++        private long written;
++
++        public BoundedWriter(Writer delegate, long maxChars) {
++            this.delegate = Objects.requireNonNull(delegate);
++            this.maxChars = maxChars;
++        }
++
++        @Override
++        public void write(char[] cbuf, int off, int len) throws IOException {
++            if (written + len > maxChars) {
++                throw new IOException("Writer size limit " + maxChars + " chars exceeded");
++            }
++            delegate.write(cbuf, off, len);
++            written += len;
++        }
++
++        /* delegate flush()/close() as-is */
++        @Override
++        public void flush() throws IOException {
++            delegate.flush();
++        }
++
++        @Override
++        public void close() throws IOException {
++            delegate.close();
++        }
++    }
++
+     /**
+      * Used at query execution time by script service in order to execute a query template.
+      * */
+@@ -131,7 +165,7 @@ public final class MustacheScriptEngine implements ScriptEngine {
+         @SuppressWarnings("removal")
+         @Override
+         public String execute() {
+-            final StringWriter writer = new StringWriter();
++            final Writer writer = new BoundedWriter(new StringWriter(), 100_000); // 100 k chars max
+             try {
+                 // crazy reflection here
+                 SpecialPermission.check();
@@ -0,0 +1 @@
+1e9c299dc908e801b4e041bef1b81cfe0ca0038c
@@ -0,0 +1 @@
+081e66a1586b6ae4f810f297d2b050c968a11658
@@ -0,0 +1 @@
+57d4a06c3241f153410ffec292004fbba87b9695
@@ -0,0 +1 @@
+24f9b9afacb3d79c176d10424890ebd4457ceaf7
@@ -0,0 +1 @@
+46f22130821ee796e347b90693f61d7fc4b2e8a6
@@ -0,0 +1 @@
+13abbd2534e08e60b42829900d2a5d10b9417129
@@ -0,0 +1 @@
+85758b8fd2e75bce01423298592401bf649a5e31
@@ -0,0 +1 @@
+ce4f80c96f32d51659e142237c3ffbc678765e4e
@@ -0,0 +1 @@
+c211ad4e253d8fbb195a868d849c2645544866e7
@@ -0,0 +1 @@
+06df613f0356d4de02574507754afb33874a7336
@@ -0,0 +1 @@
+1e9c299dc908e801b4e041bef1b81cfe0ca0038c
@@ -0,0 +1 @@
+081e66a1586b6ae4f810f297d2b050c968a11658
@@ -0,0 +1 @@
+57d4a06c3241f153410ffec292004fbba87b9695
@@ -0,0 +1 @@
+24f9b9afacb3d79c176d10424890ebd4457ceaf7
@@ -0,0 +1 @@
+46f22130821ee796e347b90693f61d7fc4b2e8a6
@@ -0,0 +1 @@
+13abbd2534e08e60b42829900d2a5d10b9417129
@@ -0,0 +1 @@
+85758b8fd2e75bce01423298592401bf649a5e31
@@ -0,0 +1 @@
+ce4f80c96f32d51659e142237c3ffbc678765e4e
@@ -0,0 +1 @@
+c211ad4e253d8fbb195a868d849c2645544866e7
@@ -0,0 +1 @@
+06df613f0356d4de02574507754afb33874a7336
@@ -0,0 +1 @@
+ecfc4946066df549ecce8b9cec999e4b1526c8f2
@@ -0,0 +1 @@
+24f9b9afacb3d79c176d10424890ebd4457ceaf7
@@ -0,0 +1 @@
+fc2ee1c4e0d88804c1d058da8b3a4d483b1a2754
@@ -0,0 +1 @@
+ae6a6cee393435f59634f2f96fa88f671dac90e0
@@ -0,0 +1 @@
+e8a87f24b00128b931ee18cac08a3be745dc84ce
@@ -0,0 +1 @@
+06df613f0356d4de02574507754afb33874a7336
@@ -0,0 +1 @@
+69da28615a03bf0a3e377fdb44106338d57c52d9
@@ -0,0 +1 @@
+1e9c299dc908e801b4e041bef1b81cfe0ca0038c
@@ -0,0 +1 @@
+081e66a1586b6ae4f810f297d2b050c968a11658
@@ -0,0 +1 @@
+57d4a06c3241f153410ffec292004fbba87b9695
@@ -0,0 +1 @@
+24f9b9afacb3d79c176d10424890ebd4457ceaf7
@@ -0,0 +1 @@
+46f22130821ee796e347b90693f61d7fc4b2e8a6
@@ -0,0 +1 @@
+13abbd2534e08e60b42829900d2a5d10b9417129
@@ -0,0 +1 @@
+85758b8fd2e75bce01423298592401bf649a5e31
@@ -0,0 +1 @@
+ce4f80c96f32d51659e142237c3ffbc678765e4e
@@ -0,0 +1 @@
+c211ad4e253d8fbb195a868d849c2645544866e7
@@ -0,0 +1 @@
+06df613f0356d4de02574507754afb33874a7336
@@ -0,0 +1 @@
+1e9c299dc908e801b4e041bef1b81cfe0ca0038c
@@ -0,0 +1 @@
+081e66a1586b6ae4f810f297d2b050c968a11658
@@ -0,0 +1 @@
+ecfc4946066df549ecce8b9cec999e4b1526c8f2
@@ -0,0 +1 @@
+57d4a06c3241f153410ffec292004fbba87b9695
@@ -0,0 +1 @@
+24f9b9afacb3d79c176d10424890ebd4457ceaf7
@@ -0,0 +1 @@
+46f22130821ee796e347b90693f61d7fc4b2e8a6