1

I am using Elasticsearch Java API to create indexes and write queries for search. The indexes are created on various fields. One of the field is numeric(integer) on which index is created.

Now the input we get is in form of string. We have to search all the fields for the input provided. To search on numeric field we are using 

QueryBuilders.rangeQuery() method.

But when it encounters any non integer value in "to" or "from" field it throws

SearchPhaseExecutionException[Failed to execute phase [query].
nested: NumberFormatException[For input string: \"30y\"]

How can I avoid this? Its fine that we do not get any search results, but I want to avoid this Exception as there can be cases where we get non integer input.

Another option is to check all the input tokens, which I want to avoid because it will add another level of check which will impact performance.

Is there any way I can accomplish this with elasticsearch API?

Improve this question

1 Answer 1

Reset to default
1

Another option is to check all the input tokens, which I want to avoid because it will add another level of check which will impact performance.

Checking/validating the user input is something that you should always do, in any case, whatever your performance requirements are. If you don't, you unnecessarily expose your cluster to unknown future threats, but also known ones that have been causing some damages lately and which can have a much worse impact on your cluster and/or business than a few milliseconds spent cleaning up user input. Elasticsearch is flexible and can do wonders, but you have to play nice with it, too.

That being said, if you really want to avoid secure coding best practices, you can use the following query that won't bark if the input data is not compliant.

{
  "query": {
    "simple_query_string": {
      "query": "numfield:[10y TO *]"
    }
  }
}

simple_query_string is the equivalent of query_string but is much more permissive with the input and will never throw an exception.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for the useful info Val. We have finally decided to check the input before creating the query. As this will save us a call to DB that would compensate the time taken for the check.
Nice, you took the right approach ;) That simple validation check will definitely be worth it, indeed!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.