search

elastic / elasticsearch-rs

Official Elasticsearch Rust Client
https://www.elastic.co/guide/en/elasticsearch/client/rust-api/current/index.html
Apache License 2.0
705 stars 72 forks source link

[ENHANCEMENT] sanitize user input #151

Closed Jasperav closed 3 years ago

Jasperav commented 3 years ago

Is your feature request related to a problem? Please describe. I want to validate user input before sending a query to Elasticsearch

Describe the solution you'd like A query parser, or a parameterized query possibility

Additional context Current my code looks somewhat like this, but I want to escape user input:

// TODO: This is properly a bad way to search users
let value = format!("{}"", part_of_username);
let search = elastic_con
    .search(SearchParts::Index(&["users"]))
    .body(json!({
          "query": {
            "match": {
              "username": {
                "query": value, // <-- value isn't escaped and can contain malicious data
                "analyzer": "standard"
              }
            }
          }
}));
russcam commented 3 years ago

Do you have some examples of malicious data that could be inserted into the above?

russcam commented 3 years ago

Closing this issue due to inactivity; feel free to re-open to continue discussion 👍