[BUG] It is possible to create a user via REST API with restricted characters encoded using URL encoding.

opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields

https://opensearch.org/docs/latest/security-plugin/index/

Apache License 2.0

181 stars 264 forks source link

[BUG] It is possible to create a user via REST API with restricted characters encoded using URL encoding. #4513

Open willyborankin opened 3 days ago

willyborankin commented 3 days ago

What is the bug? It is possible to create a user both for PUT and PATCH with restricted characters encoded using URL encoding.

Do you have any screenshots? If applicable, add screenshots to help explain your problem.

Do you have any additional context? Add any other context about the problem.