Skip to content

Instantly share code, notes, and snippets.

@jlecour

jlecour/better_protected.rb

Last active August 29, 2015 14:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jlecour/a99a4f42edadf5d801e5 to your computer and use it in GitHub Desktop.
Save jlecour/a99a4f42edadf5d801e5 to your computer and use it in GitHub Desktop.
Download ZIP
A very naive attempt to prevent script injection in Elasticsearch requests. `distance_script_field` is an helper used to help build a complete request.
Raw
better_protected.rb
def distance_script_field(name: "distance", field: "lat_lng", lat:, lng:)
valid_pattern = /\A[\w]+\Z/
valid_pattern.match(name) or fail(ArgumentError, "Invalid value for name: #{name.inspect}")
valid_pattern.match(field) or fail(ArgumentError, "Invalid value for field: #{field.inspect}")
Float(lat) rescue raise(ArgumentError, "Invalid value for lat: #{lat.inspect}")
Float(lng) rescue raise(ArgumentError, "Invalid value for lng: #{lng.inspect}")
{
name => {
script: "doc['#{field}'].arcDistanceInKm(lat,lon)",
params: {
lat: lat,
lon: lng
}
}
}
end
Raw
not_protected.rb
def distance_script_field(name: "distance", field: "lat_lng", lat:, lng:)
{
name => {
script: "doc['#{field}'].arcDistanceInKm(lat,lon)",
params: {
lat: lat,
lon: lng
}
}
}
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment