1 ) I have a question regarding simpleQueryString flags. In current newest version (6.1.4.Final) there is still no support for flags: SLOP and NONE (check SimpleQueryFlag.java), do you have any plans to add support for these flags?
Elasticsearch documentation:
If there is not specified flags then all flags are active like wildcard, fuzzy and so on:
In my case I would like to disable all flags. But I cannot choose flag NONE (no support in SimpleQueryFlag) so as a workaround I have to choose SimpleQueryFlag.WHITESPACE with the least impact to disable all others:
I found something strange. Even If I activated just one flag lets say .flags(SimpleQueryFlag.WHITESPACE) the wildcard was still working. Only wildcard, others were disabled properly. As a result i could just get all data from my index. As a workaround I had to parse input and remove all wildcards.
Why wildcard is active when I choose only one flag f.e. SimpleQueryFlag.WHITESPACE?? I think in such case just one operator should work (whitespace) an all other should be disabled.
As explained in the documentation you linked, SLOP is synonymous to NEAR, which we already support. We don’t intend to add new flags that are redundant.
NONE can be achieved by passing an empty list of flags: .flags(Collections.emptySet()).
Use .flags(Collections.emptySet()).
This is not normal. Are you sure it’s not caused by you using specific analyzers that reproduce the behavior of a prefix query (e.g. with the edge_ngram filter)? Can you provide a reproducer based on this template?
Sorry: I just checked the code, and it turns out an empty set of flags is not interpreted as NONE as I expected, and as we do for other flags elsewhere… I opened [HSEARCH-4536] - Hibernate JIRA to fix this.
EDIT: This was fixed in Hibernate Search 6.1.5.Final.
Ok, I will do it but later, don’t know when, for now I don’t have much time unfortunately.
But for now i will copy part of my test and I will have a fast question:
In my opinion the wildcard should be removed by CharFilters.PATTERN_REPLACE_SPECIAL_CHARS during search and it shouldn’t have any impact. But this search returns all results(even “description_normalized” that are nulls). What is your opinion?
Thanks for the reproducer. I spent quite some time on this, and must admit I was a bit dumbfounded… until I stumbled upon this code in Lucene:
if ("*".equals(queryText.trim())) {
return new MatchAllDocsQuery();
}
With any other character, you would get the behavior you want, because the text would indeed get analyzed, would be reduced to an empty list of tokens, and eventually the parsed query would be a MatchNoDocsQuery.
But you hit the one character hardcoded in the parser that triggers this behavior of matching every document.
This is Lucene, not Elasticsearch, but I’m fairly confident Elasticsearch relies on this exact parser and thus is affected the same way.
I’m afraid there isn’t much Hibernate Search can do to remove this behavior, and I suspect reporting it to Lucene/Elasticsearch won’t help, as this seems fairly intentional, although undocumented.
Maybe I should document this somewhere, though
I guess in your application, you could pre-process the query string to replace * with an empty string. But that’s about all I have to suggest.
I would say it’s a bit dangerous, someone implementing search by simpleQueryString can accidentally allow users to access all the data (without even thinking about this situation), yayks.
I’m currently removing all * from the query, but I didn’t like that solution and thought there was a better way to solve this problem or I missed something.
But now everything is clear, thanks so much for explanations, suggestions and your time.
While I agree to some extent, any filters you want to apply should be added separately through a bool predicate, and would thus be unaffected by what the user types: even * would be filtered.
Also, if you want strict security, it would be a good idea to also have a safety net after the query execution, to check that each returned search hit is indeed accessible by the user who requested the search. That’s important in particular because the index may lag behind the database, and permissions might change over time. I know Spring Security allows post-execution security checks through AOP, i.e. annotations on your service methods + dedicated components that check permissions on a given object; and I’m sure other frameworks offer similar solutions.
