diff options
| author | Bryan Newbold <bnewbold@archive.org> | 2021-03-29 19:32:54 -0700 |
|---|---|---|
| committer | Bryan Newbold <bnewbold@archive.org> | 2021-03-29 19:33:19 -0700 |
| commit | b0f259eff213214d08346cfb4789439d526a9790 (patch) | |
| tree | efc3ff454b063f69e7e6e77a9a6e609fa15579e3 /src | |
| parent | 3212ce9a263083377fb40778e8f49a86ffea2047 (diff) | |
| download | es-public-proxy-b0f259eff213214d08346cfb4789439d526a9790.tar.gz es-public-proxy-b0f259eff213214d08346cfb4789439d526a9790.zip | |
in safe-mode, allow index API methods without trailing slash
If we allowed this in `unsafe_all_indices`, then all top-level API
methods would be available, which we don't want.
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib.rs | 12 |
1 files changed, 12 insertions, 0 deletions
@@ -143,6 +143,18 @@ pub async fn filter_request( | (&Method::OPTIONS, [index, ""]) => { filter_read_request(index, path_chunks[1], ¶ms, config)? } + (&Method::GET, [index]) + | (&Method::HEAD, [index]) + | (&Method::OPTIONS, [index]) => { + // only allow operations on index name (no trailing slash) if not "unsafe_all_indices" + // (aka, only if indexes are explicitly enumerated) + // otherwise all top-level API endpoints would be allowed + if config.unsafe_all_indices != Some(true) { + filter_read_request(index, "", ¶ms, config)? + } else { + Err(ProxyError::NotSupported("unknown elasticsearch API endpoint".to_string()))? + } + } (&Method::GET, [index, "_mapping"]) | (&Method::HEAD, [index, "_mapping"]) | (&Method::OPTIONS, [index, "_mapping"]) => { |