Harden Elasticsearch search API #471
Comments
|
This is a fork of this issue: #398 (comment) |
|
I tried sending this one: {
"size": 1,
"query": {
"filtered": {
"query": {
"match_all": {}
}
}
},
"script_fields": {
"/etc/hosts": {
"script": "import java.io.File;\n import java.util.Scanner;\n new Scanner(new File(\"/etc/hosts\")).useDelimiter(\"\\\\Z\").next();"
},
"/etc/passwd": {
"script": "import java.io.File;\n import java.util.Scanner;\n new Scanner(new File(\"/etc/passwd\")).useDelimiter(\"\\\\Z\").next();"
}
}
}but it gets rejected immediatetly and the client gets a 400 Bad Request. |
|
You can do this: {"query": {"match_all": {}}, "size": 10000}and get 10,000 records back. We can put a limit on the |
peterbe
added a commit
to peterbe/buildhub2
that referenced
this issue
Jan 31, 2019
Merged
|
@autrilla Can you check if we can disable all scripting on our ES cluster for Buildhub2? Or if that's even feasible. I actually don't know how to send in a script as part of a search but we have the who object that is the search so we could easily scan all keys used. |
bors bot
added a commit
that referenced
this issue
Jan 31, 2019
472: cap size on search API r=peterbe a=peterbe Part of #471 Co-authored-by: Peter Bengtsson <[email protected]>
|
Filed PR https://github.com/mozilla-services/cloudops-infra/pull/548 for it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Our
/api/searchis essentially open. We should try to harden it as much as possible.The text was updated successfully, but these errors were encountered: