Hello. What are the recommended techniques to protect ES queries against NoSQL injection? It's common for some parameters to be specified externally (by the user, for example). How can we prevent them from abusing the query?
Is there a function on the language APIs to escape strings containing the values?
Security provides AAA for the cluster. In a two(or three)-tier application, the end user doesn't have direct access to the ES cluster. The Web (or application) server sits in-between the user and ES.
AAA does not solve the injection vulnerability problem, because the user sends its parameters to the webserver, and the server constructs the request on the end-users behalf. We are trying to prevent the end-user from modifying that request.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.