How to avoid script injection into elasticity search search query?

Question

How to avoid script injection into elasticity search search query?

I have an application that uses Angularjs and has a database as Elastic Search. For Elastic Search, version 1.3.1, so dynamic scripting is enabled by default. The user can add data to elastic search from the application. So, while searching, how to avoid injections, which are script injection in an elastic search query?

+3

angularjs elasticsearch code-injection

Ashish bhumkar 28 Aug '14 at 8:36

source to share

1 answer

Alex · Accepted Answer · 2014-08-28T08:48:36+0000

Depends on how the json is built, if it is something like "{query: {match:"%s"}}"

then a string can be passed to add text to the script.
Check if elasticsearch message is open to everyone - you should close it
You must use groovy

scripting sandboxes and constraint libraries to be used.

How to avoid script injection into elasticity search search query?

More articles: