The script isn't on the client, the script is on the server, the example
above would be on the server and the client would be passing in 'oldType'
and 'newType'. The possibility of attack comes from the String variable
passed in from the client. I've been trying to work how the string would
look like so I can take appropriate measures but so far all I've been able
to do is cause a concurrent modification exception.
Map vars= new HashMap();
ArrayList alist = new ArrayList();
alist.add("one");
alist.add("two");
alist.add("1");
vars.put("key", alist);
String var = "abc";key.add("444");""; //this represents a String
passed in from a client
String script = "for(item:key){; if(item=="two"){item += ""+ var +
"";}}"; //this represents some script that updates data.
MVEL.eval(script, vars);// represents ES evaluating the MVEL.
While the MVEL iterates over the ArrayList, the "attack code" tries to
insert data, adding to a list while iterating =
ConcurrentModificationException
I've been trying
On Tuesday, 8 January 2013 03:48:08 UTC, Igor Motov wrote:
Generating script on the client for every update is problematic not only
because it opens you to code injection attacks, but also because it's
inefficient. If your script will change for every call, elasticsearch will
have to parse it again and again. Instead of generating script every time,
use static script and pass changing values as script parameters.On Monday, January 7, 2013 8:59:46 AM UTC-5, Artem Grinblat wrote:
Of course it's possible!
You should always check the data that comes from an external source!Escape the string or make sure there's no special characters in it.
Sometimes I use a JSON escape
( JSONValue#escape from
http://code.google.com/p/json-simple/source/browse/trunk/src/main/java/org/json/simple/JSONValue.javafor example ).понедельник, 7 января 2013 г., 14:13:29 UTC+4 пользователь chris
harrington написал:If I take in a string variable from a client that will be inserted (or
used for updating) a field in ES using MVEL, is it possible for someone to
attack my data with some form of escaped String?
--