Possible security risk or proxies

323 views
Skip to first unread message

James McKinney

unread,
Nov 14, 2011, 10:03:33 AM11/14/11
to ajax...@googlegroups.com
Hi all,

For any of you proxying requests to Solr, be careful with which parameters you allow to pass through! See this Solr issue:


If you pass all user-provided parameters, even on a /select query, you may expose yourself to a query that deletes the entire index. To avoid this scenario, use a whitelist approach of only passing on parameters that you expect (q, fq, sort, facet, etc.) and not those that you don't expect (in the above linked issue, passing stream.url without any validation/filtering creates the security risk).

Cheers,

James

david.w...@gmail.com

unread,
Nov 14, 2011, 10:48:56 AM11/14/11
to ajax...@googlegroups.com
Yup; I reported that issue ;-)  One of the easiest things you can do is simply disable "remote streaming" in solrconfig.xml, assuming you aren't using it.  There is already a warning in the config about it's inherent security risk.
It's unfortunate there isn't a parameter filter & cleanser for Solr; at least not one that I know of.  Even putting aside the bug I reported, it's fairly easy to do a denial-of-service attack against Solr by:
 * faceting on all fields
 * sorting on all fields (that are sortable)
 * using function queries on all fields you can do function queries on
 Those actions will trigger an explosion of RAM usage.  Next to pack a punch to the CPU:
 * Return a massive result set (rows=1000000)
 * Return all fields
 * highlight on all of them
 * Do fuzzy queries with a low threshold: solr~0.01
 * Enable debugQuery=on
 * etc.... basically use every Solr component you can think of.
 
Most of these problems could be reduced a lot by a simple parameter name whitelist and even some basic parameter value validation.  I think this would make a great Solr component; I've had it on the back of my mind for a while.
 
~ David Smiley
p.s. the 2nd edition of my book was published today: http://www.packtpub.com/apache-solr-3-enterprise-search-server/book

Scott Stults

unread,
Oct 8, 2014, 3:10:06 PM10/8/14
to ajax...@googlegroups.com, david.w...@gmail.com
This is an old thread, but it keeps popping up when I search for Solr proxies.

We've got a simple nginx proxy config that we'd like feedback on:


Pull requests would be awesome too.


-Scott

James McKinney

unread,
Oct 8, 2014, 4:04:33 PM10/8/14
to ajax...@googlegroups.com, david.w...@gmail.com
Hi Scott,

I’ve added your proxy to this list: https://github.com/evolvingweb/ajax-solr/wiki/Solr-proxies

Thanks!

James

--
You received this message because you are subscribed to the Google Groups "ajax-solr" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ajax-solr+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages