I would like to validate my Elasticsearch ID before calling the server. I was searching around to figure out if there is anyway to check if the requested ID have a correct format or not. I am not sure if this is necessary or not. I know that elasticsearch generates URL-safe Base64 ID's.
Anyone have a suggestion ? My question is :
Should I validate elasticsearch ID ? If yes how to validate the format before executing the query ?
If no.. is it secure to query the Elasticsearch server directly ? Users will not be able to input the ID, but some malicous users can intercept or figure out how to call the Endpoint with a random string, that could be a possible attack or access to a different set of data ?
I am an Elasticsearch beginner however am looking for best practice. I was reading that in previous versions there was a breach that opens to a remote code execution.
https://www.elastic.co/blog/scripting-security
http://bouk.co/blog/elasticsearch-rce/
I know this is fixed but still would like to validate the ID. This, at least will avoid making an unnecessary call to Elasticsearch if the ID is not in correct format. What I know is "never trust user input" or in my case avoid possible input..
Note : I am using elasticsearch-php Client.
Any suggestion ? Thanks.
