douke1905 2016-10-10 14:17
浏览 144
已采纳

如何清理Elasticsearch自动生成的ID?

I would like to validate my Elasticsearch ID before calling the server. I was searching around to figure out if there is anyway to check if the requested ID have a correct format or not. I am not sure if this is necessary or not. I know that elasticsearch generates URL-safe Base64 ID's.

Anyone have a suggestion ? My question is :

  • Should I validate elasticsearch ID ? If yes how to validate the format before executing the query ?

  • If no.. is it secure to query the Elasticsearch server directly ? Users will not be able to input the ID, but some malicous users can intercept or figure out how to call the Endpoint with a random string, that could be a possible attack or access to a different set of data ?

I am an Elasticsearch beginner however am looking for best practice. I was reading that in previous versions there was a breach that opens to a remote code execution.

https://www.elastic.co/blog/scripting-security

http://bouk.co/blog/elasticsearch-rce/

I know this is fixed but still would like to validate the ID. This, at least will avoid making an unnecessary call to Elasticsearch if the ID is not in correct format. What I know is "never trust user input" or in my case avoid possible input..

Note : I am using elasticsearch-php Client.

Any suggestion ? Thanks.

  • 写回答

1条回答 默认 最新

  • doucuoyan0426 2016-10-12 21:08
    关注

    Should I validate elasticsearch ID ?

    If you want. You could check that only alphanumerics, +, / and = are present. This adds an extra layer of security, but it should not be strictly necessary to do so. In the spirit of "defence in depth", I would recommend it.

    If no.. is it secure to query the Elasticsearch server directly ? Users will not be able to input the ID, but some [malicious] users can intercept or figure out how to call the Endpoint with a random string, that could be a possible attack or access to a different set of data ?

    If you use a tried and tested JSON encoder to build your query, then any attacker will not be able to break the query and retrieve data that they're not meant to (i.e. breaking out of a JSON string built with concatenation will not be possible - a form of NoSQL Injection). Do this even if you are validating the JSON string as I earlier described.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

    报告相同问题?

    悬赏问题

    • ¥30 哈夫曼编码译码器打印树形项目
    • ¥20 求完整顺利登陆QQ邮箱的python代码
    • ¥15 基带到底是什么?为什么手机厂和厂外完全两个概念
    • ¥15 怎么下载MySQL,怎么卸干净原来的MySQL
    • ¥15 网络打印机Ip地址自动获取出现问题
    • ¥15 求局部放电案例库,用于预测局部放电类型
    • ¥100 QT Open62541
    • ¥15 stata合并季度数据和日度数据
    • ¥15 谁能提供rabbitmq,erlang,socat压缩包,记住版本要对应
    • ¥15 Vue3 中使用 `vue-router` 只能跳转到主页面?