Skip to content

Use params in dynamic ES queries #33

Open
Open
Use params in dynamic ES queries#33
Labels
security
@rimutaka

Description

@rimutaka
rimutaka
opened on Apr 1, 2022

Building dynamic ES queries without parameters feels totally wrong. For example:

GET dev/_search
{
  "aggs": {
    "suggestions": {
      "terms": {
        "field": "report.tech.pkgs_kw.k.keyword",
        "include": "mon.*"
      }
    }
  },
  "size": 0
}

where "include": "mon.*" is a dynamic field filled with user input. It allows Regex, so has to be thoroughly validated and escaped.

There should be a way of doing it via params like in SQL.

Metadata

Metadata

Assignees

No one assigned

    Labels

    security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions