Do I have to worry about an MVEL attack?

If I take in a string variable from a client that will be inserted (or used
for updating) a field in ES using MVEL, is it possible for someone to
attack my data with some form of escaped String?

eg (I hope my example makes sense because I've been trying to wrap my head
around this and keep getting confused.)
with a field in ES

"data": {
{"type":"xyz"},
{"type":"abc"}
}

and an update script

String updateScript = "for(item : ctx._source.data){if(item.type == ""oldType

  • ""){ item.type="" + newType + "";}}"

Is it possible to supply a String which has escaped characters that could
cause harm.

newType = "abc"; item=null;""

Bottom line here is essentially do I have worry about being attacked
through variable passed in by a client and given to MVEL?

Thanks

--

Of course it's possible!
You should always check the data that comes from an external source!

Escape the string or make sure there's no special characters in it.

Sometimes I use a JSON escape
( JSONValue#escape from
http://code.google.com/p/json-simple/source/browse/trunk/src/main/java/org/json/simple/JSONValue.java
for example ).

понедельник, 7 января 2013 г., 14:13:29 UTC+4 пользователь chris harrington
написал:

If I take in a string variable from a client that will be inserted (or
used for updating) a field in ES using MVEL, is it possible for someone to
attack my data with some form of escaped String?

--

Generating script on the client for every update is problematic not only
because it opens you to code injection attacks, but also because it's
inefficient. If your script will change for every call, elasticsearch will
have to parse it again and again. Instead of generating script every time,
use static script and pass changing values as script parameters.

On Monday, January 7, 2013 8:59:46 AM UTC-5, Artem Grinblat wrote:

Of course it's possible!
You should always check the data that comes from an external source!

Escape the string or make sure there's no special characters in it.

Sometimes I use a JSON escape
( JSONValue#escape from
http://code.google.com/p/json-simple/source/browse/trunk/src/main/java/org/json/simple/JSONValue.javafor example ).

понедельник, 7 января 2013 г., 14:13:29 UTC+4 пользователь chris
harrington написал:

If I take in a string variable from a client that will be inserted (or
used for updating) a field in ES using MVEL, is it possible for someone to
attack my data with some form of escaped String?

--

The script isn't on the client, the script is on the server, the example
above would be on the server and the client would be passing in 'oldType'
and 'newType'. The possibility of attack comes from the String variable
passed in from the client. I've been trying to work how the string would
look like so I can take appropriate measures but so far all I've been able
to do is cause a concurrent modification exception.

Map vars= new HashMap();
ArrayList alist = new ArrayList();

alist.add("one");
alist.add("two");
alist.add("1");

vars.put("key", alist);

String var = "abc";key.add("444");""; //this represents a String
passed in from a client

String script = "for(item:key){; if(item=="two"){item += ""+ var +
"";}}"; //this represents some script that updates data.

MVEL.eval(script, vars);// represents ES evaluating the MVEL.

While the MVEL iterates over the ArrayList, the "attack code" tries to
insert data, adding to a list while iterating =
ConcurrentModificationException

I've been trying
On Tuesday, 8 January 2013 03:48:08 UTC, Igor Motov wrote:

Generating script on the client for every update is problematic not only
because it opens you to code injection attacks, but also because it's
inefficient. If your script will change for every call, elasticsearch will
have to parse it again and again. Instead of generating script every time,
use static script and pass changing values as script parameters.

On Monday, January 7, 2013 8:59:46 AM UTC-5, Artem Grinblat wrote:

Of course it's possible!
You should always check the data that comes from an external source!

Escape the string or make sure there's no special characters in it.

Sometimes I use a JSON escape
( JSONValue#escape from
http://code.google.com/p/json-simple/source/browse/trunk/src/main/java/org/json/simple/JSONValue.javafor example ).

понедельник, 7 января 2013 г., 14:13:29 UTC+4 пользователь chris
harrington написал:

If I take in a string variable from a client that will be inserted (or
used for updating) a field in ES using MVEL, is it possible for someone to
attack my data with some form of escaped String?

--

Just to be sure we are on the same page, when I said server and client I
meant elasticsearch server and whoever is using it. When elasticsearch
server receives a script with set of parameters, it compiles the script
first. Then script is executed and set of parameters is passed to the
script as a map. So, I was proposing something like this:

Map vars= new HashMap();
ArrayList alist = new ArrayList();

alist.add("one");
alist.add("two");
alist.add("1");

vars.put("key", alist);

String var = "abc";key.add("444");""; //this represents a String
passed in from a client

vars.put("var", alist);

String script = "for(item:key){; if(item=="two"){item += var;}}"; //this
represents some script that updates data.

// send script and vars to elasticsearch

On Tuesday, January 8, 2013 8:19:21 AM UTC-5, chris harrington wrote:

The script isn't on the client, the script is on the server, the example
above would be on the server and the client would be passing in 'oldType'
and 'newType'. The possibility of attack comes from the String variable
passed in from the client. I've been trying to work how the string would
look like so I can take appropriate measures but so far all I've been able
to do is cause a concurrent modification exception.

Map vars= new HashMap();
ArrayList alist = new ArrayList();

alist.add("one");
alist.add("two");
alist.add("1");

vars.put("key", alist);

String var = "abc";key.add("444");""; //this represents a String
passed in from a client

String script = "for(item:key){; if(item=="two"){item += ""+ var +
"";}}"; //this represents some script that updates data.

MVEL.eval(script, vars);// represents ES evaluating the MVEL.

While the MVEL iterates over the ArrayList, the "attack code" tries to
insert data, adding to a list while iterating =
ConcurrentModificationException

I've been trying
On Tuesday, 8 January 2013 03:48:08 UTC, Igor Motov wrote:

Generating script on the client for every update is problematic not only
because it opens you to code injection attacks, but also because it's
inefficient. If your script will change for every call, elasticsearch will
have to parse it again and again. Instead of generating script every time,
use static script and pass changing values as script parameters.

On Monday, January 7, 2013 8:59:46 AM UTC-5, Artem Grinblat wrote:

Of course it's possible!
You should always check the data that comes from an external source!

Escape the string or make sure there's no special characters in it.

Sometimes I use a JSON escape
( JSONValue#escape from
http://code.google.com/p/json-simple/source/browse/trunk/src/main/java/org/json/simple/JSONValue.javafor example ).

понедельник, 7 января 2013 г., 14:13:29 UTC+4 пользователь chris
harrington написал:

If I take in a string variable from a client that will be inserted (or
used for updating) a field in ES using MVEL, is it possible for someone to
attack my data with some form of escaped String?

--

Ah I understand what you mean, I've never seen a reference to using a
script like this in the docs, can you point me to some links/docs/articles
about using static scripts?

All the MVEL strings I use are built like this and then sent to ES via

String updateScript = "for(item: _ctx.source.field){......code......"" +variable

  • "".....code.....}";

UpdateResponse response = client.prepareUpdate(index, type, id).setScript(
updateScript).execute().actionGet();

How would I be able to use static scripts in this situation?

On Tuesday, 8 January 2013 14:23:13 UTC, Igor Motov wrote:

Just to be sure we are on the same page, when I said server and client I
meant elasticsearch server and whoever is using it. When elasticsearch
server receives a script with set of parameters, it compiles the script
first. Then script is executed and set of parameters is passed to the
script as a map. So, I was proposing something like this:

Map vars= new HashMap();
ArrayList alist = new ArrayList();

alist.add("one");
alist.add("two");
alist.add("1");

vars.put("key", alist);

String var = "abc";key.add("444");""; //this represents a String
passed in from a client

vars.put("var", alist);

String script = "for(item:key){; if(item=="two"){item += var;}}"; //this
represents some script that updates data.

// send script and vars to elasticsearch

On Tuesday, January 8, 2013 8:19:21 AM UTC-5, chris harrington wrote:

The script isn't on the client, the script is on the server, the example
above would be on the server and the client would be passing in 'oldType'
and 'newType'. The possibility of attack comes from the String variable
passed in from the client. I've been trying to work how the string would
look like so I can take appropriate measures but so far all I've been able
to do is cause a concurrent modification exception.

Map vars= new HashMap();
ArrayList alist = new ArrayList();

alist.add("one");
alist.add("two");
alist.add("1");

vars.put("key", alist);

String var = "abc";key.add("444");""; //this represents a String
passed in from a client

String script = "for(item:key){; if(item=="two"){item += ""+ var +
"";}}"; //this represents some script that updates data.

MVEL.eval(script, vars);// represents ES evaluating the MVEL.

While the MVEL iterates over the ArrayList, the "attack code" tries to
insert data, adding to a list while iterating =
ConcurrentModificationException

I've been trying
On Tuesday, 8 January 2013 03:48:08 UTC, Igor Motov wrote:

Generating script on the client for every update is problematic not only
because it opens you to code injection attacks, but also because it's
inefficient. If your script will change for every call, elasticsearch will
have to parse it again and again. Instead of generating script every time,
use static script and pass changing values as script parameters.

On Monday, January 7, 2013 8:59:46 AM UTC-5, Artem Grinblat wrote:

Of course it's possible!
You should always check the data that comes from an external source!

Escape the string or make sure there's no special characters in it.

Sometimes I use a JSON escape
( JSONValue#escape from
http://code.google.com/p/json-simple/source/browse/trunk/src/main/java/org/json/simple/JSONValue.javafor example ).

понедельник, 7 января 2013 г., 14:13:29 UTC+4 пользователь chris
harrington написал:

If I take in a string variable from a client that will be inserted (or
used for updating) a field in ES using MVEL, is it possible for someone to
attack my data with some form of escaped String?

--

String updateScript = "for(item: _ctx.source.field){......code......my_var
.....code.....}";

UpdateResponse response = client.prepareUpdate(index, type, id).setScript(
updateScript).addScriptParam("my_var", variable).execute().actionGet();

On Tuesday, January 8, 2013 10:00:24 AM UTC-5, chris harrington wrote:

Ah I understand what you mean, I've never seen a reference to using a
script like this in the docs, can you point me to some links/docs/articles
about using static scripts?

All the MVEL strings I use are built like this and then sent to ES via

String updateScript = "for(item: _ctx.source.field){......code......"" +variable

  • "".....code.....}";

UpdateResponse response = client.prepareUpdate(index, type, id).setScript(
updateScript).execute().actionGet();

How would I be able to use static scripts in this situation?

On Tuesday, 8 January 2013 14:23:13 UTC, Igor Motov wrote:

Just to be sure we are on the same page, when I said server and client I
meant elasticsearch server and whoever is using it. When elasticsearch
server receives a script with set of parameters, it compiles the script
first. Then script is executed and set of parameters is passed to the
script as a map. So, I was proposing something like this:

Map vars= new HashMap();
ArrayList alist = new ArrayList();

alist.add("one");
alist.add("two");
alist.add("1");

vars.put("key", alist);

String var = "abc";key.add("444");""; //this represents a String
passed in from a client

vars.put("var", alist);

String script = "for(item:key){; if(item=="two"){item += var;}}"; //this
represents some script that updates data.

// send script and vars to elasticsearch

On Tuesday, January 8, 2013 8:19:21 AM UTC-5, chris harrington wrote:

The script isn't on the client, the script is on the server, the example
above would be on the server and the client would be passing in 'oldType'
and 'newType'. The possibility of attack comes from the String variable
passed in from the client. I've been trying to work how the string would
look like so I can take appropriate measures but so far all I've been able
to do is cause a concurrent modification exception.

Map vars= new HashMap();
ArrayList alist = new ArrayList();

alist.add("one");
alist.add("two");
alist.add("1");

vars.put("key", alist);

String var = "abc";key.add("444");""; //this represents a String
passed in from a client

String script = "for(item:key){; if(item=="two"){item += ""+ var +
"";}}"; //this represents some script that updates data.

MVEL.eval(script, vars);// represents ES evaluating the MVEL.

While the MVEL iterates over the ArrayList, the "attack code" tries to
insert data, adding to a list while iterating =
ConcurrentModificationException

I've been trying
On Tuesday, 8 January 2013 03:48:08 UTC, Igor Motov wrote:

Generating script on the client for every update is problematic not
only because it opens you to code injection attacks, but also because it's
inefficient. If your script will change for every call, elasticsearch will
have to parse it again and again. Instead of generating script every time,
use static script and pass changing values as script parameters.

On Monday, January 7, 2013 8:59:46 AM UTC-5, Artem Grinblat wrote:

Of course it's possible!
You should always check the data that comes from an external source!

Escape the string or make sure there's no special characters in it.

Sometimes I use a JSON escape
( JSONValue#escape from
http://code.google.com/p/json-simple/source/browse/trunk/src/main/java/org/json/simple/JSONValue.javafor example ).

понедельник, 7 января 2013 г., 14:13:29 UTC+4 пользователь chris
harrington написал:

If I take in a string variable from a client that will be inserted
(or used for updating) a field in ES using MVEL, is it possible for someone
to attack my data with some form of escaped String?

--

That's straight forward enough, thanks.

And is this approach more secure from injection attacks or will I still
have to look into String parsing to make sure everything is clean?

On Tuesday, 8 January 2013 15:16:54 UTC, Igor Motov wrote:

String updateScript = "for(item: _ctx.source.field){......code......my_var
.....code.....}";

UpdateResponse response = client.prepareUpdate(index, type, id).setScript(
updateScript).addScriptParam("my_var", variable).execute().actionGet();

On Tuesday, January 8, 2013 10:00:24 AM UTC-5, chris harrington wrote:

Ah I understand what you mean, I've never seen a reference to using a
script like this in the docs, can you point me to some links/docs/articles
about using static scripts?

All the MVEL strings I use are built like this and then sent to ES via

String updateScript = "for(item: _ctx.source.field){......code......"" +variable

  • "".....code.....}";

UpdateResponse response = client.prepareUpdate(index, type, id).setScript
(updateScript).execute().actionGet();

How would I be able to use static scripts in this situation?

On Tuesday, 8 January 2013 14:23:13 UTC, Igor Motov wrote:

Just to be sure we are on the same page, when I said server and client I
meant elasticsearch server and whoever is using it. When elasticsearch
server receives a script with set of parameters, it compiles the script
first. Then script is executed and set of parameters is passed to the
script as a map. So, I was proposing something like this:

Map vars= new HashMap();
ArrayList alist = new ArrayList();

alist.add("one");
alist.add("two");
alist.add("1");

vars.put("key", alist);

String var = "abc";key.add("444");""; //this represents a String
passed in from a client

vars.put("var", alist);

String script = "for(item:key){; if(item=="two"){item += var;}}"; //this
represents some script that updates data.

// send script and vars to elasticsearch

On Tuesday, January 8, 2013 8:19:21 AM UTC-5, chris harrington wrote:

The script isn't on the client, the script is on the server, the
example above would be on the server and the client would be passing in
'oldType' and 'newType'. The possibility of attack comes from the String
variable passed in from the client. I've been trying to work how the string
would look like so I can take appropriate measures but so far all I've been
able to do is cause a concurrent modification exception.

Map vars= new HashMap();
ArrayList alist = new ArrayList();

alist.add("one");
alist.add("two");
alist.add("1");

vars.put("key", alist);

String var = "abc";key.add("444");""; //this represents a String
passed in from a client

String script = "for(item:key){; if(item=="two"){item += ""+ var +
"";}}"; //this represents some script that updates data.

MVEL.eval(script, vars);// represents ES evaluating the MVEL.

While the MVEL iterates over the ArrayList, the "attack code" tries to
insert data, adding to a list while iterating =
ConcurrentModificationException

I've been trying
On Tuesday, 8 January 2013 03:48:08 UTC, Igor Motov wrote:

Generating script on the client for every update is problematic not
only because it opens you to code injection attacks, but also because it's
inefficient. If your script will change for every call, elasticsearch will
have to parse it again and again. Instead of generating script every time,
use static script and pass changing values as script parameters.

On Monday, January 7, 2013 8:59:46 AM UTC-5, Artem Grinblat wrote:

Of course it's possible!
You should always check the data that comes from an external source!

Escape the string or make sure there's no special characters in it.

Sometimes I use a JSON escape
( JSONValue#escape from
http://code.google.com/p/json-simple/source/browse/trunk/src/main/java/org/json/simple/JSONValue.javafor example ).

понедельник, 7 января 2013 г., 14:13:29 UTC+4 пользователь chris
harrington написал:

If I take in a string variable from a client that will be inserted
(or used for updating) a field in ES using MVEL, is it possible for someone
to attack my data with some form of escaped String?

--

It's definitely more secure, it's just a string. It's not parsed or
compiled, it's just passed to the script. So, unless you
somehow explicitly evaluate it in your script, it cannot be executed.

On Tuesday, January 8, 2013 10:25:05 AM UTC-5, chris harrington wrote:

That's straight forward enough, thanks.

And is this approach more secure from injection attacks or will I still
have to look into String parsing to make sure everything is clean?

On Tuesday, 8 January 2013 15:16:54 UTC, Igor Motov wrote:

String updateScript = "for(item:
_ctx.source.field){......code......my_var.....code.....}";

UpdateResponse response = client.prepareUpdate(index, type, id).setScript
(updateScript).addScriptParam("my_var", variable).execute().actionGet();

On Tuesday, January 8, 2013 10:00:24 AM UTC-5, chris harrington wrote:

Ah I understand what you mean, I've never seen a reference to using a
script like this in the docs, can you point me to some links/docs/articles
about using static scripts?

All the MVEL strings I use are built like this and then sent to ES via

String updateScript = "for(item: _ctx.source.field){......code......""

  • variable + "".....code.....}";

UpdateResponse response = client.prepareUpdate(index, type, id).
setScript(updateScript).execute().actionGet();

How would I be able to use static scripts in this situation?

On Tuesday, 8 January 2013 14:23:13 UTC, Igor Motov wrote:

Just to be sure we are on the same page, when I said server and client
I meant elasticsearch server and whoever is using it. When elasticsearch
server receives a script with set of parameters, it compiles the script
first. Then script is executed and set of parameters is passed to the
script as a map. So, I was proposing something like this:

Map vars= new HashMap();
ArrayList alist = new ArrayList();

alist.add("one");
alist.add("two");
alist.add("1");

vars.put("key", alist);

String var = "abc";key.add("444");""; //this represents a String
passed in from a client

vars.put("var", alist);

String script = "for(item:key){; if(item=="two"){item += var;}}"; //this
represents some script that updates data.

// send script and vars to elasticsearch

On Tuesday, January 8, 2013 8:19:21 AM UTC-5, chris harrington wrote:

The script isn't on the client, the script is on the server, the
example above would be on the server and the client would be passing in
'oldType' and 'newType'. The possibility of attack comes from the String
variable passed in from the client. I've been trying to work how the string
would look like so I can take appropriate measures but so far all I've been
able to do is cause a concurrent modification exception.

Map vars= new HashMap();
ArrayList alist = new ArrayList();

alist.add("one");
alist.add("two");
alist.add("1");

vars.put("key", alist);

String var = "abc";key.add("444");""; //this represents a String
passed in from a client

String script = "for(item:key){; if(item=="two"){item += ""+ var +
"";}}"; //this represents some script that updates data.

MVEL.eval(script, vars);// represents ES evaluating the MVEL.

While the MVEL iterates over the ArrayList, the "attack code" tries to
insert data, adding to a list while iterating =
ConcurrentModificationException

I've been trying
On Tuesday, 8 January 2013 03:48:08 UTC, Igor Motov wrote:

Generating script on the client for every update is problematic not
only because it opens you to code injection attacks, but also because it's
inefficient. If your script will change for every call, elasticsearch will
have to parse it again and again. Instead of generating script every time,
use static script and pass changing values as script parameters.

On Monday, January 7, 2013 8:59:46 AM UTC-5, Artem Grinblat wrote:

Of course it's possible!
You should always check the data that comes from an external source!

Escape the string or make sure there's no special characters in it.

Sometimes I use a JSON escape
( JSONValue#escape from
http://code.google.com/p/json-simple/source/browse/trunk/src/main/java/org/json/simple/JSONValue.javafor example ).

понедельник, 7 января 2013 г., 14:13:29 UTC+4 пользователь chris
harrington написал:

If I take in a string variable from a client that will be inserted
(or used for updating) a field in ES using MVEL, is it possible for someone
to attack my data with some form of escaped String?

--

Good to know.

Thanks for all your help Igor.

On Tuesday, 8 January 2013 15:56:05 UTC, Igor Motov wrote:

It's definitely more secure, it's just a string. It's not parsed or
compiled, it's just passed to the script. So, unless you
somehow explicitly evaluate it in your script, it cannot be executed.

On Tuesday, January 8, 2013 10:25:05 AM UTC-5, chris harrington wrote:

That's straight forward enough, thanks.

And is this approach more secure from injection attacks or will I still
have to look into String parsing to make sure everything is clean?

On Tuesday, 8 January 2013 15:16:54 UTC, Igor Motov wrote:

String updateScript = "for(item:
_ctx.source.field){......code......my_var.....code.....}";

UpdateResponse response = client.prepareUpdate(index, type, id).
setScript(updateScript).addScriptParam("my_var", variable).execute().
actionGet();

On Tuesday, January 8, 2013 10:00:24 AM UTC-5, chris harrington wrote:

Ah I understand what you mean, I've never seen a reference to using a
script like this in the docs, can you point me to some links/docs/articles
about using static scripts?

All the MVEL strings I use are built like this and then sent to ES via

String updateScript = "for(item: _ctx.source.field){......code......""

  • variable + "".....code.....}";

UpdateResponse response = client.prepareUpdate(index, type, id).
setScript(updateScript).execute().actionGet();

How would I be able to use static scripts in this situation?

On Tuesday, 8 January 2013 14:23:13 UTC, Igor Motov wrote:

Just to be sure we are on the same page, when I said server and client
I meant elasticsearch server and whoever is using it. When elasticsearch
server receives a script with set of parameters, it compiles the script
first. Then script is executed and set of parameters is passed to the
script as a map. So, I was proposing something like this:

Map vars= new HashMap();
ArrayList alist = new ArrayList();

alist.add("one");
alist.add("two");
alist.add("1");

vars.put("key", alist);

String var = "abc";key.add("444");""; //this represents a String
passed in from a client

vars.put("var", alist);

String script = "for(item:key){; if(item=="two"){item += var;}}"; //this
represents some script that updates data.

// send script and vars to elasticsearch

On Tuesday, January 8, 2013 8:19:21 AM UTC-5, chris harrington wrote:

The script isn't on the client, the script is on the server, the
example above would be on the server and the client would be passing in
'oldType' and 'newType'. The possibility of attack comes from the String
variable passed in from the client. I've been trying to work how the string
would look like so I can take appropriate measures but so far all I've been
able to do is cause a concurrent modification exception.

Map vars= new HashMap();
ArrayList alist = new ArrayList();

alist.add("one");
alist.add("two");
alist.add("1");

vars.put("key", alist);

String var = "abc";key.add("444");""; //this represents a
String passed in from a client

String script = "for(item:key){; if(item=="two"){item += ""+ var
+"";}}"; //this represents some script that updates data.

MVEL.eval(script, vars);// represents ES evaluating the MVEL.

While the MVEL iterates over the ArrayList, the "attack code" tries
to insert data, adding to a list while iterating =
ConcurrentModificationException

I've been trying
On Tuesday, 8 January 2013 03:48:08 UTC, Igor Motov wrote:

Generating script on the client for every update is problematic not
only because it opens you to code injection attacks, but also because it's
inefficient. If your script will change for every call, elasticsearch will
have to parse it again and again. Instead of generating script every time,
use static script and pass changing values as script parameters.

On Monday, January 7, 2013 8:59:46 AM UTC-5, Artem Grinblat wrote:

Of course it's possible!
You should always check the data that comes from an external source!

Escape the string or make sure there's no special characters in it.

Sometimes I use a JSON escape
( JSONValue#escape from
http://code.google.com/p/json-simple/source/browse/trunk/src/main/java/org/json/simple/JSONValue.javafor example ).

понедельник, 7 января 2013 г., 14:13:29 UTC+4 пользователь chris
harrington написал:

If I take in a string variable from a client that will be inserted
(or used for updating) a field in ES using MVEL, is it possible for someone
to attack my data with some form of escaped String?

--