Canonicalize option values as numeric types before DSL generation

mengweieric · mengweieric · commit 9a4955a569c7 · 2026-04-09T11:42:55.000-07:00
Parse k as integer, max_distance and min_score as double before they
reach buildKnnQuery(). Rejects non-numeric and non-finite values with
clear errors. This closes the residual JSON-injection path through
option values without requiring full XContent migration.

Also fixes toString() to be consistent with the named-arg guard
(no longer blindly casts to NamedArgumentExpression).

Signed-off-by: Eric Wei &lt;mengwei.eric@gmail.com&gt;
diff --git a/opensearch/src/main/java/org/opensearch/sql/opensearch/storage/VectorSearchTableFunctionImplementation.java b/opensearch/src/main/java/org/opensearch/sql/opensearch/storage/VectorSearchTableFunctionImplementation.java
@@ -75,11 +75,13 @@ public String toString() {
     List<String> args =
         arguments.stream()
             .map(
-                arg ->
-                    String.format(
-                        "%s=%s",
-                        ((NamedArgumentExpression) arg).getArgName(),
-                        ((NamedArgumentExpression) arg).getValue().toString()))
+                arg -> {
+                  if (arg instanceof NamedArgumentExpression) {
+                    NamedArgumentExpression named = (NamedArgumentExpression) arg;
+                    return String.format("%s=%s", named.getArgName(), named.getValue().toString());
+                  }
+                  return arg.toString();
+                })
             .collect(Collectors.toList());
     return String.format("%s(%s)", functionName, String.join(", ", args));
   }
@@ -147,6 +149,10 @@ private void validateFieldName(String fieldName) {
     }
   }
 
+  /**
+   * Validates and canonicalizes option values. All P0 option values must be numeric. Parsing them
+   * here prevents non-numeric strings from reaching the raw JSON construction in buildKnnQuery().
+   */
   private void validateOptions(Map<String, String> options) {
     // Reject unknown option keys — only P0 keys are allowed
     for (String key : options.keySet()) {
@@ -162,6 +168,40 @@ private void validateOptions(Map<String, String> options) {
       throw new ExpressionEvaluationException(
           "Missing required option: one of k, max_distance, or min_score");
     }
+    // Parse and canonicalize numeric values — closes JSON injection via option values
+    if (hasK) {
+      parseIntOption(options, "k");
+    }
+    if (hasMaxDistance) {
+      parseDoubleOption(options, "max_distance");
+    }
+    if (hasMinScore) {
+      parseDoubleOption(options, "min_score");
+    }
+  }
+
+  private void parseIntOption(Map<String, String> options, String key) {
+    try {
+      int value = Integer.parseInt(options.get(key));
+      options.put(key, Integer.toString(value));
+    } catch (NumberFormatException e) {
+      throw new ExpressionEvaluationException(
+          String.format("Option '%s' must be an integer, got '%s'", key, options.get(key)));
+    }
+  }
+
+  private void parseDoubleOption(Map<String, String> options, String key) {
+    try {
+      double value = Double.parseDouble(options.get(key));
+      if (!Double.isFinite(value)) {
+        throw new ExpressionEvaluationException(
+            String.format("Option '%s' must be a finite number, got '%s'", key, options.get(key)));
+      }
+      options.put(key, Double.toString(value));
+    } catch (NumberFormatException e) {
+      throw new ExpressionEvaluationException(
+          String.format("Option '%s' must be a number, got '%s'", key, options.get(key)));
+    }
   }
 
   private String getArgumentValue(String name) {
diff --git a/opensearch/src/test/java/org/opensearch/sql/opensearch/storage/VectorSearchTableFunctionImplementationTest.java b/opensearch/src/test/java/org/opensearch/sql/opensearch/storage/VectorSearchTableFunctionImplementationTest.java
@@ -152,6 +152,33 @@ void testNestedFieldNameAllowed() {
     assertTrue(table instanceof VectorSearchIndex);
   }
 
+  @Test
+  void testNonNumericKThrows() {
+    VectorSearchTableFunctionImplementation impl =
+        createImplWithArgs("my-index", "embedding", "[1.0, 2.0]", "k=abc");
+    ExpressionEvaluationException ex =
+        assertThrows(ExpressionEvaluationException.class, () -> impl.applyArguments());
+    assertTrue(ex.getMessage().contains("must be an integer"));
+  }
+
+  @Test
+  void testNonNumericMaxDistanceThrows() {
+    VectorSearchTableFunctionImplementation impl =
+        createImplWithArgs("my-index", "embedding", "[1.0, 2.0]", "max_distance=notanumber");
+    ExpressionEvaluationException ex =
+        assertThrows(ExpressionEvaluationException.class, () -> impl.applyArguments());
+    assertTrue(ex.getMessage().contains("must be a number"));
+  }
+
+  @Test
+  void testInfiniteMinScoreThrows() {
+    VectorSearchTableFunctionImplementation impl =
+        createImplWithArgs("my-index", "embedding", "[1.0, 2.0]", "min_score=Infinity");
+    ExpressionEvaluationException ex =
+        assertThrows(ExpressionEvaluationException.class, () -> impl.applyArguments());
+    assertTrue(ex.getMessage().contains("must be a finite number"));
+  }
+
   @Test
   void testNonNamedArgThrows() {
     FunctionName functionName = FunctionName.of("vectorsearch");
