DSL injection in Opensearch python client?

47 Views Asked by says At 20 October 2024 at 19:53

The Opensearch documentation around using the low-level python client is here.

When executing search queries it shows the following example:

# Search for the document.
q = 'miller'
query = {
  'size': 5,
  'query': {
    'multi_match': {
      'query': q,
      'fields': ['title^2', 'director']
    }
  }
}

response = client.search(
    body = query,
    index = index_name
)
print('\nSearch results:')
print(response)

Is this vulnerable to SQL / DSL injection?

I'm surprised there isn't an example with a parameterised query. If this is vulnerable to an injection attack then I guess one would have to come up with their own validations to sanitise the input parameters...

Original Q&A

There are 1 best solutions below

Bill Karwin On 25 March 2024 at 03:02

It's definitely not SQL injection, because OpenSearch is not an SQL implementation.

The worst you could do is inject an OpenSearch DSL query string, if your q variable is based on untrusted input. That could result in a DSL syntax error, or a search you didn't intend.

This could be considered code injection, but it's not likely to cause much harm.

Is this SQL/NoSQL/DSL injection in Opensearch python client?

There are 1 best solutions below

Related Questions in PYTHON

Related Questions in SQL-INJECTION

Related Questions in OPENSEARCH

Related Questions in NOSQL-INJECTION

Trending Questions

Popular # Hahtags

Popular Questions