From b0f259eff213214d08346cfb4789439d526a9790 Mon Sep 17 00:00:00 2001
From: Bryan Newbold <bnewbold@archive.org>
Date: Mon, 29 Mar 2021 19:32:54 -0700
Subject: in safe-mode, allow index API methods without trailing slash

If we allowed this in `unsafe_all_indices`, then all top-level API
methods would be available, which we don't want.
---
 src/lib.rs | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'src')

diff --git a/src/lib.rs b/src/lib.rs
index 4431daa..61aeb83 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -143,6 +143,18 @@ pub async fn filter_request(
         | (&Method::OPTIONS, [index, ""]) => {
             filter_read_request(index, path_chunks[1], &params, config)?
         }
+        (&Method::GET, [index])
+        | (&Method::HEAD, [index])
+        | (&Method::OPTIONS, [index]) => {
+            // only allow operations on index name (no trailing slash) if not "unsafe_all_indices"
+            // (aka, only if indexes are explicitly enumerated)
+            // otherwise all top-level API endpoints would be allowed
+            if config.unsafe_all_indices != Some(true) {
+                filter_read_request(index, "", &params, config)?
+            } else {
+                Err(ProxyError::NotSupported("unknown elasticsearch API endpoint".to_string()))?
+            }
+        }
         (&Method::GET, [index, "_mapping"])
         | (&Method::HEAD, [index, "_mapping"])
         | (&Method::OPTIONS, [index, "_mapping"]) => {
-- 
cgit v1.2.3