Library to securely expose query language to end user?
I have a DB that I would like to expose to end users for flexible search through their data. Currently using Elastic, but not tied to that: I can internally transform the data in any way to enable secure, flexible querying.
What I'm curious about is how to expose a query language such as Elastic's Simple query string DSL in a safe way. I see hints like in this thread that simple query is safe to expose to end users, but nothing of the sort on the documentation page.
My application would authenticate users the usual way, add filters to their query based on user ID, and then forward the query directly to Elastic.
Here are some of my safety concerns:
- Injection attacks enabling writes
- Injection attacks to bypass user ID query filtering logic
- DDoS
Any advice in this area is appreciated - I imagine there are well-used approaches because this seems like a fairly common problem, but I couldn't find anything clear.
