INTRODUCTION:
We have a system where we store job applications from candidates into Elasticsearch. We further present all candidates who have applied for a job in a candidate list(grid with candidates).
We also have a search field on the same site where we can filter candidates. We are actually making full text search to match candidates based on the input from the user.
MORE DETAILS:
So, the users can enter input. Right now, we are using the input from users directly in a query to Elasticsearch, for example:
queryStringQuery = new QueryStringQuery
{
Fields = new Field("firstName").And("lastName").And("education").And("workExperience").And("currentPosition").And("currentEmployer").And("attachments.attachment.content"),
Query = "*" + query.Freetext + "*"
};
If you look at the Query parameter, you can notice that we are setting it to query.Freetext(Which is input from the user).
The user can input malicious content ( Injection Attack ).
QUESTION:
How does Elasticsearch handle mailicious content in the query? What can I do to prevent it?