Hello. What are the recommended techniques to protect ES queries against NoSQL injection? It's common for some parameters to be specified externally (by the user, for example). How can we prevent them from abusing the query?
Is there a function on the language APIs to escape strings containing the values?
We'd suggest the use of Security to maintain AAA - https://www.elastic.co/guide/en/x-pack/current/xpack-security.html
Security provides AAA for the cluster. In a two(or three)-tier application, the end user doesn't have direct access to the ES cluster. The Web (or application) server sits in-between the user and ES.
AAA does not solve the injection vulnerability problem, because the user sends its parameters to the webserver, and the server constructs the request on the end-users behalf. We are trying to prevent the end-user from modifying that request.
So, is there an API function to perform input validation/sanitization on user input?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.