Hi, all
we used a node project that used for elasticsearch javascript pacakge ( 14.2.2) which is the latest version.
We have got security audit report by a security firm that based on elasticsearch (14.2.2) for javascript package that it is possible to have CRLF injection issue (Improper Output Neutralization for Logs) on /src/lib/connectors/xhr.js 76
whether it is possible to have a log forging attack by line#76
73: xhr.onreadystatechange = function () {
74: if (xhr.readyState === 4) {
75: clearTimeout(timeoutId);
76: log.trace(params.method, url, params.body, xhr.responseText, xhr.status);
var err = xhr.status ? void 0 : new ConnectionFault(xhr.statusText || 'Request failed to complete.');
cb(err, xhr.responseText, xhr.status);
}
};
is it already identified from elasticsearch community ? or any configuration set up to make disable log.trace() ?