aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorBryan Newbold <bnewbold@archive.org>2021-03-29 19:32:54 -0700
committerBryan Newbold <bnewbold@archive.org>2021-03-29 19:33:19 -0700
commitb0f259eff213214d08346cfb4789439d526a9790 (patch)
treeefc3ff454b063f69e7e6e77a9a6e609fa15579e3 /src
parent3212ce9a263083377fb40778e8f49a86ffea2047 (diff)
downloades-public-proxy-b0f259eff213214d08346cfb4789439d526a9790.tar.gz
es-public-proxy-b0f259eff213214d08346cfb4789439d526a9790.zip
in safe-mode, allow index API methods without trailing slash
If we allowed this in `unsafe_all_indices`, then all top-level API methods would be available, which we don't want.
Diffstat (limited to 'src')
-rw-r--r--src/lib.rs12
1 files changed, 12 insertions, 0 deletions
diff --git a/src/lib.rs b/src/lib.rs
index 4431daa..61aeb83 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -143,6 +143,18 @@ pub async fn filter_request(
| (&Method::OPTIONS, [index, ""]) => {
filter_read_request(index, path_chunks[1], &params, config)?
}
+ (&Method::GET, [index])
+ | (&Method::HEAD, [index])
+ | (&Method::OPTIONS, [index]) => {
+ // only allow operations on index name (no trailing slash) if not "unsafe_all_indices"
+ // (aka, only if indexes are explicitly enumerated)
+ // otherwise all top-level API endpoints would be allowed
+ if config.unsafe_all_indices != Some(true) {
+ filter_read_request(index, "", &params, config)?
+ } else {
+ Err(ProxyError::NotSupported("unknown elasticsearch API endpoint".to_string()))?
+ }
+ }
(&Method::GET, [index, "_mapping"])
| (&Method::HEAD, [index, "_mapping"])
| (&Method::OPTIONS, [index, "_mapping"]) => {