[
https://issues.apache.org/jira/browse/FLUME-2273?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13987878#comment-13987878
]
Edward Sargisson commented on FLUME-2273:
-----------------------------------------
The scenario in my head is:
* header substitution for indexType, indexName is set in the config
* REST client in use.
A malicious attacker then crafts an event where the indexType header is
'../../protectedIndex/protectedType'. They can then write into an index they're
not supposed to.
I don't know if ES does relative addressing in its REST server; that's why I'm
raising the question.
> ElasticSearchSink: Add handling for header substitution in indexName
> --------------------------------------------------------------------
>
> Key: FLUME-2273
> URL: https://issues.apache.org/jira/browse/FLUME-2273
> Project: Flume
> Issue Type: Improvement
> Components: Sinks+Sources
> Affects Versions: v1.4.0
> Reporter: Paul Merry
> Priority: Minor
> Attachments: FLUME-2273.patch, new_FLUME-2273-2.patch,
> new_FLUME-2273-5.patch, new_FLUME-2273.patch
>
>
> The ElasticSearchSink would be improved by allowing for header substitution
> in the indexName property.
> A use case is where the sink is an intermediate part of a chain and the index
> name is required to identify the message origin, at present it can only be a
> hardcoded value.
> The HDFS sink already supports header substitution so a similar format would
> maintain consistency.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
