Description
Right now, the Java demo app passes a location and a description directly into the methods for building an FTS query.
Are these parameters adequately sanitized in the SDK code to avoid some sort of injection attack, or is it the responsibility to the demo app to do that sanitization somehow? If so, what should be recommend to our users.
Here is the relevant code:
public Result<List<Map<String, Object>>> findHotels(final Cluster cluster, final String location, final String description) { |
ConjunctionQuery fts = SearchQuery.conjuncts(SearchQuery.term("hotel").field("type")); |
|
if (location != null && !location.isEmpty() && !"*".equals(location)) { |
fts.and(SearchQuery.disjuncts(
|
SearchQuery.matchPhrase(location).field("country"), |
SearchQuery.matchPhrase(location).field("city"), |
SearchQuery.matchPhrase(location).field("state"), |
SearchQuery.matchPhrase(location).field("address") |
));
|
}
|
|
if (description != null && !description.isEmpty() && !"*".equals(description)) { |
fts.and(
|
SearchQuery.disjuncts(
|
SearchQuery.matchPhrase(description).field("description"), |
SearchQuery.matchPhrase(description).field("name") |
));
|
}
|
|
SearchQuery query = new SearchQuery("hotels", fts) |
.limit(100); |
|
logQuery(query.export().toString());
|
SearchResult result = cluster.searchQuery(query);
|