Does Elasticsearch-py sanitize queries?

Question

I'm new to ES and wondering if the search function sanitizes the inner "query" field in the body parameter when handed something like:

   "query": {
      "filtered": {
         "query": {
            "match": {
               "_all": {
                  "query": "[THIS PARAMETER]",
                  "operator": "and"
               }
            }
         }
       }
     }

I've tried every input I can to break it and I can't seem to. I created a sanitization function but that was actually leading to worse search results when searching strings such as "&" or "+". I've looked through the code and can't seem to find any obvious sanitization of that field. I just want to be sure before I send a user's search query right through the function.

Thanks

Answer 1

I see three more possible approaches to validate es against an inverted attack against the indexes, which are databases, in an attack similar to SQL injection:

1. How well do you know Lucene and how it handles attacks? Pursuing Lucene architecture and supporting code directly may provide you with insight into how es handles attacks

2. Try a SOLR approach, which also uses Lucene, and see how SOLR handles attacks; SOLR fell behind es, then has been catching up and improving other areas; there are some interesting SWOT architectural comparisons between es and SOLR

3. Lay down part of the ELK stack--at least Kibana and es, and test Kibana, which may generate other es/Lucene code that you could test