No-SQL injection

Kartik_Malik · March 21, 2017, 11:48am

Hi,
I am very new to elastic search so my question might sound stupid .
I am working on a project that uses elasticsearch as the database.
I have a search page on our app, when user enters some keyword in the search bar and clicks submit the request is sent to our server, the server code uses the keyword to generates a GET request to the Elasticsearch API.
The data in the database are some articles not anything user specific.

Now the question I have is, can there be a No-SQL injection attack on our API ?
(As far as i have read, the GET API can only be used to retrieve the data)
If there can be a No-SQL injection attack, how to protect it?

warkolm · March 21, 2017, 9:29pm

We've made a number of changes to ES to reduce the possibility of this happening, so it's unlikely.

Kartik_Malik · March 22, 2017, 3:56am

Thank you

Kartik_Malik · March 27, 2017, 6:09am

Hi, I had one more query, from which version of ElasticSearch is this fix impelmented?

system · April 24, 2017, 6:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.