Skip to content

[BUG] Snapshot rename replacement unbounded length rename #20464

Closed
#20465
Closed
[BUG] Snapshot rename replacement unbounded length rename#20464
#20465
Labels
Storage:SnapshotsbugSomething isn't workinguntriaged
@meet-v25

Description

@meet-v25
meet-v25
opened on Jan 23, 2026

Describe the bug

OpenSearch's snapshot restore functionality is not checking the length of the rename index in the renameIndex() method. It can lead to processing of a huge string of index.

Location: server/src/main/java/org/opensearch/snapshots/RestoreService.java:1301
renamedIndex = index.replaceAll(request.renamePattern(), request.renameReplacement());

The String.replaceAll() method is called without validating:

  1. The length of the replacement string
  2. The resulting index name length after replacement

Related component

Storage:Snapshots

To Reproduce

  1. Create an index with a name containing many repeated characters (e.g., "a" * 255)
  2. Let it / create a snapshot of the index
  3. Restore the snapshot with malicious rename parameters:
    i. rename_pattern: "a" (matches each character)
    ii. rename_replacement: "b" * 1,000,000 (1 million characters per match)
  4. Result: 255 matches * 1M characters = 255 million character string allocation
  5. JVM runs out of memory and crashes
opensearch  | java.lang.OutOfMemoryError: Java heap space
opensearch  | Dumping heap to data/java_pid1.hprof ...
opensearch  | Unable to create data/java_pid1.hprof: File exists
opensearch  | [2026-01-05T10:00:57,140][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [e9baa2091a80] fatal error in thread [opensearch[e9baa2091a80][generic][T#3]], exiting
opensearch  | java.lang.OutOfMemoryError: Java heap space

Expected behavior

There should not be any JVM crashes on any nodes due to an index renaming during index restore from snapshot.

Solution: Add validation for the rename_replacement field and cap the field size to 255 bytes. This size limit is the same limit of index names as in OpenSearch.

Additional Details

Plugins
Please list all plugins currently enabled.

Screenshots
If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

  • OS: [e.g. iOS]
  • Version [e.g. 22]

Additional context
Add any other context about the problem here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Storage:SnapshotsbugSomething isn't workinguntriaged

    Type

    No type

    Projects

    Storage Project Board

    Status

    ✅ Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions