You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Gus Heck (Jira)" <ji...@apache.org> on 2019/10/27 05:27:00 UTC
[jira] [Commented] (SOLR-13749) Implement support for joining
across collections with multiple shards ( XCJF )
[ https://issues.apache.org/jira/browse/SOLR-13749?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16960506#comment-16960506 ]
Gus Heck commented on SOLR-13749:
---------------------------------
After some fooling around with this I found that arbitrary {color:#de350b}POST{color} requests can be sent via the url parameter like this
{code:none}
{!xcjf solrUrl="http://localhost:8080/login#" collection="results" from="driverId_s" to="id" v="laps_i:[100 TO *]"}
{code}
or to pester someone's mail server....
{code:none}
{!xcjf solrUrl=\"http://localhost:25/login#\" collection=\"results\" from=\"driverId_s\" to=\"id\" v=\"laps_i:[100 TO *]\"}
{code}
creating log entries like this in exim4:
{code:java}
2019-10-27 01:17:17 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=ns-l1 [127.0.0.1] input="POST /login HTTP/1.1\r\nContent-Ty"
2019-10-27 01:17:17 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=ns-l1 [127.0.0.1] input="POST /login HTTP/1.1\r\nContent-Ty"
2019-10-27 01:17:17 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=ns-l1 [127.0.0.1] input="POST /login HTTP/1.1\r\nContent-Ty"
2019-10-27 01:17:17 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=ns-l1 [127.0.0.1] input="POST /login HTTP/1.1\r\nContent-Ty"
(note the amplification by the number of nodes in the solr cluster...){code}
However, I haven't yet found a way to trick the server into accepting query parameters (since the ? and & chars break it... But that only fails because of this dodgy looking exception:
{code:java}
o.a.s.s.HttpSolrCall null:java.lang.NullPointerException
at org.apache.solr.client.solrj.io.stream.SolrStream.close(SolrStream.java:191)
at org.apache.solr.search.join.XCJFQuery$XCJFQueryWeight.getDocSet(XCJFQuery.java:301)
at org.apache.solr.search.join.XCJFQuery$XCJFQueryWeight.scorer(XCJFQuery.java:311)
at org.apache.lucene.search.Weight.bulkScorer(Weight.java:168)
at org.apache.lucene.search.IndexSearcher.search(IndexSearcher.java:741)
at org.apache.lucene.search.IndexSearcher.search(IndexSearcher.java:516)
at org.apache.solr.search.SolrIndexSearcher.buildAndRunCollectorChain(SolrIndexSearcher.java:203)
at org.apache.solr.search.SolrIndexSearcher.getDocListNC(SolrIndexSearcher.java:1621)
at org.apache.solr.search.SolrIndexSearcher.getDocListC(SolrIndexSearcher.java:1437)
at org.apache.solr.search.SolrIndexSearcher.search(SolrIndexSearcher.java:584)
at org.apache.solr.handler.component.QueryComponent.doProcessUngroupedSearch(QueryComponent.java:1485)
at org.apache.solr.handler.component.QueryComponent.process(QueryComponent.java:398)
...etc
{code}
Not entirely sure that it isn't a bug that a SolrStream got created without a client (which is what's null)... and I'm not sure if something getting fixed later might enable parameters to go through. Also, one could use this to map visible networks via Solr since responding ports come back with errors quickly and requests to machines that don't exist spin for a long time
It seems like perhaps there should be a white list of servers this query is allowed to reach out to so that attackers can't use it to poke and probe whatever network or apps solr can see. This could possibly be a collection property, though if we do that we need to be carefull that the value is cached and watched somewhere, not re-fetched from zk every request. There may be other good options... Open to ideas of course.
I've not yet fooled the expressions you build with injection attacks but still working on that ;). You might be safe because there's no let() or parallel() in play there.
> Implement support for joining across collections with multiple shards ( XCJF )
> ------------------------------------------------------------------------------
>
> Key: SOLR-13749
> URL: https://issues.apache.org/jira/browse/SOLR-13749
> Project: Solr
> Issue Type: New Feature
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Kevin Watters
> Assignee: Gus Heck
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> This ticket includes 2 query parsers.
> The first one is the "Cross collection join filter" (XCJF) parser. This is the "Cross-collection join filter" query parser. It can do a call out to a remote collection to get a set of join keys to be used as a filter against the local collection.
> The second one is the Hash Range query parser that you can specify a field name and a hash range, the result is that only the documents that would have hashed to that range will be returned.
> This query parser will do an intersection based on join keys between 2 collections.
> The local collection is the collection that you are searching against.
> The remote collection is the collection that contains the join keys that you want to use as a filter.
> Each shard participating in the distributed request will execute a query against the remote collection. If the local collection is setup with the compositeId router to be routed on the join key field, a hash range query is applied to the remote collection query to only match the documents that contain a potential match for the documents that are in the local shard/core.
>
> Here's some vocab to help with the descriptions of the various parameters.
> ||Term||Description||
> |Local Collection|This is the main collection that is being queried.|
> |Remote Collection|This is the collection that the XCJFQuery will query to resolve the join keys.|
> |XCJFQuery|The lucene query that executes a search to get back a set of join keys from a remote collection|
> |HashRangeQuery|The lucene query that matches only the documents whose hash code on a field falls within a specified range.|
>
>
> ||Param ||Required ||Description||
> |collection|Required|The name of the external Solr collection to be queried to retrieve the set of join key values ( required )|
> |zkHost|Optional|The connection string to be used to connect to Zookeeper.
> zkHost and solrUrl are both optional parameters, and at most one of them should be specified.
> If neither of zkHost or solrUrl are specified, the local Zookeeper cluster will be used. ( optional )|
> |solrUrl|Optional|The URL of the external Solr node to be queried ( optional )|
> |from|Required|The join key field name in the external collection ( required )|
> |to|Required|The join key field name in the local collection|
> |v|See Note|The query to be executed against the external Solr collection to retrieve the set of join key values.
> Note: The original query can be passed at the end of the string or as the "v" parameter.
> It's recommended to use query parameter substitution with the "v" parameter
> to ensure no issues arise with the default query parsers.|
> |routed| |true / false. If true, the XCJF query will use each shard's hash range to determine the set of join keys to retrieve for that shard.
> This parameter improves the performance of the cross-collection join, but
> it depends on the local collection being routed by the toField. If this parameter is not specified,
> the XCJF query will try to determine the correct value automatically.|
> |ttl| |The length of time that an XCJF query in the cache will be considered valid, in seconds. Defaults to 3600 (one hour).
> The XCJF query will not be aware of changes to the remote collection, so
> if the remote collection is updated, cached XCJF queries may give inaccurate results.
> After the ttl period has expired, the XCJF query will re-execute the join against the remote collection.|
> |_All others_| |Any normal Solr parameter can also be specified as a local param.|
>
> Example Solr Config.xml changes:
>
> {{<}}{{cache}} {{name}}{{=}}{{"hash_vin"}}
> {{ }}{{class}}{{=}}{{"solr.LRUCache"}}
> {{ }}{{size}}{{=}}{{"128"}}
> {{ }}{{initialSize}}{{=}}{{"0"}}
> {{ }}{{regenerator}}{{=}}{{"solr.NoOpRegenerator"}}{{/>}}
>
> {{<}}{{queryParser}} {{name}}{{=}}{{"xcjf"}} {{class}}{{=}}{{"org.apache.solr.search.join.XCJFQueryParserPlugin"}}{{>}}
> {{ }}{{<}}{{str}} {{name}}{{=}}{{"routerField"}}{{>vin</}}{{str}}{{>}}
> {{</}}{{queryParser}}{{>}}
>
> {{<}}{{queryParser}} {{name}}{{=}}{{"hash_range"}} {{class}}{{=}}{{"org.apache.solr.search.join.HashRangeQueryParserPlugin"}} {{/>}}
>
> Example Usage:
> {{{!xcjf collection=}}{{"otherCollection"}} {{from=}}{{"fromField"}} {{to=}}{{"toField"}} {{v=}}{{"**:**"}}{{}}}
>
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org