Search by credentials is a useful feature but its security is a real headache... In order to guarantee a maximum security we need to restrain its usages.
In this PR, the previous blacklist about ES keywords is replaced by a safer whitelist which shouldn't be too restrictive even though it eliminates some possibilities. Bool, match, prefix & term queries are still available with some limited options. If you need a specific ES keyword that is not available, feel free to make a PR, if it's considered safe enough by the team, it should be merged.
How should this be manually tested?
Start a Kuzzle and use the action security:searchUsersByCredentials with local strategy.
Try several query some will be accepted while other will be rejected for security reasons.
Note: Changes are mostly behind the scene.
What does this PR do?
Search by credentials is a useful feature but its security is a real headache... In order to guarantee a maximum security we need to restrain its usages.
In this PR, the previous blacklist about ES keywords is replaced by a safer whitelist which shouldn't be too restrictive even though it eliminates some possibilities. Bool, match, prefix & term queries are still available with some limited options. If you need a specific ES keyword that is not available, feel free to make a PR, if it's considered safe enough by the team, it should be merged.
How should this be manually tested?
Start a Kuzzle and use the action
security:searchUsersByCredentialswith local strategy. Try several query some will be accepted while other will be rejected for security reasons. Note: Changes are mostly behind the scene.