douke1905
2016-10-10 14:17
浏览 111
已采纳

如何清理Elasticsearch自动生成的ID?

I would like to validate my Elasticsearch ID before calling the server. I was searching around to figure out if there is anyway to check if the requested ID have a correct format or not. I am not sure if this is necessary or not. I know that elasticsearch generates URL-safe Base64 ID's.

Anyone have a suggestion ? My question is :

  • Should I validate elasticsearch ID ? If yes how to validate the format before executing the query ?

  • If no.. is it secure to query the Elasticsearch server directly ? Users will not be able to input the ID, but some malicous users can intercept or figure out how to call the Endpoint with a random string, that could be a possible attack or access to a different set of data ?

I am an Elasticsearch beginner however am looking for best practice. I was reading that in previous versions there was a breach that opens to a remote code execution.

https://www.elastic.co/blog/scripting-security

http://bouk.co/blog/elasticsearch-rce/

I know this is fixed but still would like to validate the ID. This, at least will avoid making an unnecessary call to Elasticsearch if the ID is not in correct format. What I know is "never trust user input" or in my case avoid possible input..

Note : I am using elasticsearch-php Client.

Any suggestion ? Thanks.

图片转代码服务由CSDN问答提供 功能建议

我想在调用服务器之前验证我的Elasticsearch ID 。 我正在四处寻找,无论如何都要检查所请求的ID是否具有正确的格式。 我不确定这是否有必要。 我知道 elasticsearch会生成URL安全的Base64 ID

有人有建议吗? 我的问题是:

  • 我应该验证elasticsearch ID 吗? 如果是,如何在执行查询之前验证格式?

  • 如果没有...是否可以直接查询Elasticsearch服务器? 用户将无法输入ID,但是一些恶意用户可以拦截或弄清楚如何使用随机字符串调用端点,这可能是一种可能的攻击或访问不同的数据集?

    我是Elasticsearch的初学者,但我正在寻找最佳实践。 我读到在以前的版本中有一个违规,可以打开远程代码执行。

    https://www.elastic.co/blog/scripting-security

    http://bouk.co/blog/elasticsearch-rce/

    我知道这是固定的,但仍然会 喜欢验证ID。 如果ID格式不正确,至少会避免对Elasticsearch进行不必要的调用。 我所知道的是“从不信任用户输入”或在我的情况下避免可能的输入..

    注意:我使用的是elasticsearch-php客户端。

    有什么建议吗? 谢谢。

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • doucuoyan0426 2016-10-12 21:08
    已采纳

    Should I validate elasticsearch ID ?

    If you want. You could check that only alphanumerics, +, / and = are present. This adds an extra layer of security, but it should not be strictly necessary to do so. In the spirit of "defence in depth", I would recommend it.

    If no.. is it secure to query the Elasticsearch server directly ? Users will not be able to input the ID, but some [malicious] users can intercept or figure out how to call the Endpoint with a random string, that could be a possible attack or access to a different set of data ?

    If you use a tried and tested JSON encoder to build your query, then any attacker will not be able to break the query and retrieve data that they're not meant to (i.e. breaking out of a JSON string built with concatenation will not be possible - a form of NoSQL Injection). Do this even if you are validating the JSON string as I earlier described.

    已采纳该答案
    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题