NoSQL Injection via the Java Client

Hi there,
I've implemented a basic search backed by an ES cluster. In a code review, my colleague asked if there was the possibility of a NoSQL injection attack. I assume that the QueryBuilder protected against injection attacks but that's not explicit in the documentation. Is it best practice to filter user-supplied query terms before using a QueryBuilder, or to rely on QueryBuilder's protection?

I'm using 5.5.1.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.