The Opensearch documentation around using the low-level python client is here.
When executing search queries it shows the following example:
# Search for the document.
q = 'miller'
query = {
'size': 5,
'query': {
'multi_match': {
'query': q,
'fields': ['title^2', 'director']
}
}
}
response = client.search(
body = query,
index = index_name
)
print('\nSearch results:')
print(response)
Is this vulnerable to SQL / DSL injection?
I'm surprised there isn't an example with a parameterised query. If this is vulnerable to an injection attack then I guess one would have to come up with their own validations to sanitise the input parameters...
It's definitely not SQL injection, because OpenSearch is not an SQL implementation.
The worst you could do is inject an OpenSearch DSL query string, if your
q
variable is based on untrusted input. That could result in a DSL syntax error, or a search you didn't intend.This could be considered code injection, but it's not likely to cause much harm.