Menu
I'm building an Elasticsearch query using QueryBuilders in my backend. The cluster is not directly exposed to the internet, and only accessed through the backend.
I've noticed that I am providing it with un-santized user input, and it reminded me of SQL injections. I know how to prevent SQL injections, but I'm not sure that the QueryBuilder escapes the input?
I found that there is a thing called 'Search Templates', which use mustache. Do they maybe escape the content properly? Are they 'the way to go' to prevent such problems?
I'm not even sure what the problematic user input could be like. When using the QueryBuilder, I don't think the HTTP METHOD of the query could be changed.
Maybe scripting could be a problem, but that can be disabled.
To reiterate my question: are code injections a problem for Elasticsearch, and if yes, what are the best ways to mitigate them?
Thanks! :)
841
The best way to prevent NoSQL injection attacks is to avoid using raw user input in your application code, especially when writing database queries. For example, MongoDB has built-in functionality to build secure queries without using JavaScript.
In fact, NoSQL databases are vulnerable to injection attacks, cross-site request forgery (CSRF) and other vulnerabilities.
How to Prevent an SQL Injection. The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
One would think that having a NoSQL database prevents any sort of SQL Injection. However, that's not the case. Just like any other database, MongoDB uses commands to fetch and display data on the web application.
You can find all previously detected security flaws in ES, but NoSQL injection has never been one of them... so far.
However, you can find some literature that talks about how to do just that. Also some other discussions and resources might be worth reading.
As a quick example, it is definitely possible to create a NoSQL injection attack when using search templates that are leveraging the Mustache templating language. For instance, say we have the following two documents:
PUT attack/doc/1
{
"field1": 2,
"field2": 1
}
PUT attack/doc/2
{
"field1": 2,
"field2": 2
}
And a template query on field1 that (wrongly) uses triple mustaches:
POST _scripts/attack
{
"script": {
"lang": "mustache",
"source": """
{
"query": {
"bool": {
"filter": [
{
"term": {
"field1": {{{field}}}
}
},
{
"range": {
"field2": {
"gte": 2
}
}
}
]
}
}
}
"""
}
}
By using a cleverly chosen value for the field parameter, we can leak the whole index:
POST attack/_search/template
{
"id": "attack",
"params": {
"field": "2}}],\"should\":[{\"range\":{\"field2\":{\"lte\":2}"
}
}
The final query would look like this, i.e. we were able to insert a should clause that basically leaks the whole index:
{
"query" : {
"bool" : {
"filter" : [
{
"term" : {
"field1" : 2
}
}
],
"should" : [
{
"range" : {
"field2" : {
"lte" : 2
}
}
},
{
"range" : {
"field2" : {
"gte" : 2
}
}
}
]
}
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
