SOLR 8.11.1 :: VELOCITY :: Can't access JAVA-object's static methods

["Schluchtmann, Jan Christopher" <ja...@continental-corporation.com>]

I need your help ...

In SOLR 7.5 I was able to get hold of JAVA objects by using "Class.forName"/ "getClass.forName":
#set($sysEnv=$engine.getClass.forName('java.lang.System'))
#set($sysEnv=$engine.class.forName('java.lang.System'))

In SOLR 8.11.1 this doesn't work any more and I don't know why.
It is probably a configuration problem. I assume, it has security reasons.

I tried a lot but couldn't find a solution yet and I am a bit desperate right now.
I hope, you can help me or point me into the right direction.

Thank you very much!


Thank you very much!
Regrads
Jan

AW: SOLR 8.11.1 :: VELOCITY :: Can't access JAVA-object's static methods

["Schluchtmann, Jan Christopher" <ja...@continental-corporation.com>]

@Jan Hoydahl
@Andy Lester
@Gus Heck

Thank you very much!  :)


-----Ursprüngliche Nachricht-----
Von: Gus Heck <gu...@gmail.com> 
Gesendet: Donnerstag, 3. Februar 2022 21:14
An: users@solr.apache.org
Betreff: Re: SOLR 8.11.1 :: VELOCITY :: Can't access JAVA-object's static methods

The original question was cross posted to dev list (this list actually is the better list for this question btw). I saw that one first and replied there with a lot of detail on how this came to change. Here's what I wrote
there:

Before proceeding you should review
https://issues.apache.org/jira/browse/SOLR-15844 and also
https://issues.apache.org/jira/browse/SOLR-13971 ,
https://issues.apache.org/jira/browse/SOLR-14025  and their associated CVE's. If after reading those you feel you need to continue to enable such a dangerous feature  (not recommended, but it's your system), you may need to select an earlier version of Solr (prior to 14025 being fixed I think) or patch a later version of Solr to not use SecureUberspector, or configure it differently (see https://github.com/apache/lucene-solr/commit/128360856d50d7b39473644e6c1c21ba11766195#diff-1e87c2460a42a273fc3b5a63c26f6fbe3f580f2001876d6792063cba6b3a47a0R379).
In any case you should also be aware that in future versions velocity will not be available by default and you will need to install a Solritas package for that type of functionality. (see https://issues.apache.org/jira/browse/SOLR-14792). If this is not going to be sufficient, you may wish to begin planning some other path forward, or contribute enhancements to Solritas yourself.

-Gus

On Thu, Feb 3, 2022 at 1:28 PM Andy Lester <an...@petdance.com> wrote:

>
>
> > On Feb 3, 2022, at 3:03 AM, Jan Høydahl <ja...@cominvent.com> wrote:
> >
> > This is/was a security hole and a big anti-pattern.
>
> Is this still possible in 8.x? If so, I think it would be worth 
> putting in the docs that it can be a security problem.  I can probably do that.
>
> Andy



--
http://www.needhamsoftware.com (work)
http://www.the111shift.com (play)

Re: SOLR 8.11.1 :: VELOCITY :: Can't access JAVA-object's static methods

[Gus Heck <gu...@gmail.com>]

The original question was cross posted to dev list (this list actually is
the better list for this question btw). I saw that one first and replied
there with a lot of detail on how this came to change. Here's what I wrote
there:

Before proceeding you should review
https://issues.apache.org/jira/browse/SOLR-15844 and also
https://issues.apache.org/jira/browse/SOLR-13971 ,
https://issues.apache.org/jira/browse/SOLR-14025  and their associated
CVE's. If after reading those you feel you need to continue to enable such
a dangerous feature  (not recommended, but it's your system), you may need
to select an earlier version of Solr (prior to 14025 being fixed I think)
or patch a later version of Solr to not use SecureUberspector, or configure
it differently (see
https://github.com/apache/lucene-solr/commit/128360856d50d7b39473644e6c1c21ba11766195#diff-1e87c2460a42a273fc3b5a63c26f6fbe3f580f2001876d6792063cba6b3a47a0R379).
In any case you should also be aware that in future versions velocity will
not be available by default and you will need to install a Solritas package
for that type of functionality. (see
https://issues.apache.org/jira/browse/SOLR-14792). If this is not going to
be sufficient, you may wish to begin planning some other path forward, or
contribute enhancements to Solritas yourself.

-Gus

On Thu, Feb 3, 2022 at 1:28 PM Andy Lester <an...@petdance.com> wrote:

>
>
> > On Feb 3, 2022, at 3:03 AM, Jan Høydahl <ja...@cominvent.com> wrote:
> >
> > This is/was a security hole and a big anti-pattern.
>
> Is this still possible in 8.x? If so, I think it would be worth putting in
> the docs that it can be a security problem.  I can probably do that.
>
> Andy



-- 
http://www.needhamsoftware.com (work)
http://www.the111shift.com (play)

Re: SOLR 8.11.1 :: VELOCITY :: Can't access JAVA-object's static methods

[Andy Lester <an...@petdance.com>]

> On Feb 3, 2022, at 3:03 AM, Jan Høydahl <ja...@cominvent.com> wrote:
> 
> This is/was a security hole and a big anti-pattern.

Is this still possible in 8.x? If so, I think it would be worth putting in the docs that it can be a security problem.  I can probably do that.

Andy

Re: SOLR 8.11.1 :: VELOCITY :: Can't access JAVA-object's static methods

[Jan Høydahl <ja...@cominvent.com>]

This is/was a security hole and a big anti-pattern.
Velocity is removed from the upcoming 9.0 release, so guess you're on your own if you want to keep using it.

Jan

> 3. feb. 2022 kl. 08:58 skrev Schluchtmann, Jan Christopher <ja...@continental-corporation.com>:
> 
> I need your help ...
> 
> In SOLR 7.5 I was able to get hold of JAVA objects by using "Class.forName"/ "getClass.forName":
> #set($sysEnv=$engine.getClass.forName('java.lang.System'))
> #set($sysEnv=$engine.class.forName('java.lang.System'))
> 
> In SOLR 8.11.1 this doesn't work any more and I don't know why.
> It is probably a configuration problem. I assume, it has security reasons.
> 
> I tried a lot but couldn't find a solution yet and I am a bit desperate right now.
> I hope, you can help me or point me into the right direction.
> 
> Thank you very much!
> 
> 
> Thank you very much!
> Regrads
> Jan