Closed dr0i closed 7 years ago
Just to clarify about the API 2.0 mention: we do not plan to allow direct usage of the full ES DSL (like full JSON queries in ES syntax or scripting), but direct usage of the ES query string syntax for field-specific queries. This should not make us more vulnerable to this kind of security issue.
But would it then still be possible to use aggregations? If not, you're making the API impractical for the use in a catalog frontend...
We are way beyond ES 1.4.2. Closing this one.
This issue is vital to resolve #1!
Reported by @ahagenbruch: Because of security isssues it is advised to update ES , see .http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/ .
This update is not of high priority because we encapsulate ES through our API 1.0 so that not harm can be done (in contrast to API 2.0 (#1) where we allow to use ES DSL directly). For the instances which are part of a cluster residing in multiple data processing centres (see lobid/lodmill#100) the dynamic script execution is disabled for Groovy, to be safe with ES 1.3.6.