You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by GitBox <gi...@apache.org> on 2022/08/04 15:38:58 UTC
[GitHub] [solr] dsmiley commented on a diff in pull request #962: SOLR-16296: Load elevate.xml in a more secure way
dsmiley commented on code in PR #962:
URL: https://github.com/apache/solr/pull/962#discussion_r937921926
##########
solr/core/src/java/org/apache/solr/handler/component/QueryElevationComponent.java:
##########
@@ -376,19 +375,19 @@ protected long getConfigVersion(SolrCore core) {
*
* @return The loaded {@link ElevationProvider}; not null.
*/
- private ElevationProvider loadElevationProvider(SolrCore core) throws Exception {
- XmlConfigFile cfg;
- try {
- cfg = new XmlConfigFile(core.getResourceLoader(), configFileName);
+ private ElevationProvider loadElevationProvider(SolrCore core) throws IOException, SAXException {
+ try (var inputStream = core.getResourceLoader().openResource(configFileName)) {
+ return Objects.requireNonNull(
+ loadElevationProvider(SafeXMLParsing.parseUntrustedXML(log, inputStream)));
} catch (SolrResourceNotFoundException e) {
- String msg = "Missing config file \"" + configFileName + "\"";
+ var msg = "Missing config file \"" + configFileName + "\"";
if (Files.exists(Path.of(core.getDataDir(), configFileName))) {
msg += ". Found it in the data dir but this is no longer supported since 9.0.";
}
throw new InitializationException(msg, InitializationExceptionCause.MISSING_CONFIG_FILE);
} catch (Exception e) {
// See if it's because the file is empty; wrap it if so.
- boolean isEmpty = false;
Review Comment:
In this instance, I gave no such advise to Haythem :-)
I think these particular switches to var should not be done because you are not modifying these lines of code for other reasons. It's a trivial change that shouldn't happen by itself; its noise in a PR and code history.
##########
solr/core/src/java/org/apache/solr/handler/component/QueryElevationComponent.java:
##########
@@ -376,19 +375,19 @@ protected long getConfigVersion(SolrCore core) {
*
* @return The loaded {@link ElevationProvider}; not null.
*/
- private ElevationProvider loadElevationProvider(SolrCore core) throws Exception {
- XmlConfigFile cfg;
- try {
- cfg = new XmlConfigFile(core.getResourceLoader(), configFileName);
+ private ElevationProvider loadElevationProvider(SolrCore core) throws IOException, SAXException {
+ try (var inputStream = core.getResourceLoader().openResource(configFileName)) {
Review Comment:
I liked the flow previously better -- declare an object holding the parsed input. And later, not in a try-finally, we call loadElevationProvider. Not using XmlConfigFile would only mean saying `Document` instead. A benefit to the previous flow is that the empty file checking would not happen if loadElevationProvider fails, since there's no point.
##########
solr/core/src/java/org/apache/solr/handler/component/QueryElevationComponent.java:
##########
@@ -413,35 +409,30 @@ private ElevationProvider loadElevationProvider(SolrCore core) throws Exception
* @throws RuntimeException If the config does not provide an XML content of the expected format
* (either {@link RuntimeException} or {@link org.apache.solr.common.SolrException}).
*/
- protected ElevationProvider loadElevationProvider(XmlConfigFile config) {
+ protected ElevationProvider loadElevationProvider(Document doc) {
Map<ElevatingQuery, ElevationBuilder> elevationBuilderMap = new LinkedHashMap<>();
- XPath xpath = XPathFactory.newInstance().newXPath();
- NodeList nodes = (NodeList) config.evaluate("elevate/query", XPathConstants.NODESET);
- for (int i = 0; i < nodes.getLength(); i++) {
- Node node = nodes.item(i);
- String queryString = DOMUtil.getAttr(node, "text", "missing query 'text'");
- String matchString = DOMUtil.getAttr(node, "match");
- ElevatingQuery elevatingQuery =
- new ElevatingQuery(queryString, isSubsetMatchPolicy(matchString));
-
- NodeList children;
- try {
- children = (NodeList) xpath.evaluate("doc", node, XPathConstants.NODESET);
- } catch (XPathExpressionException e) {
- throw new SolrException(
- SolrException.ErrorCode.SERVER_ERROR, "query requires '<doc .../>' child");
- }
-
- if (children.getLength() == 0) { // weird
+ if (!doc.getDocumentElement().getNodeName().equals("elevate")) {
+ throw new SolrException(
+ SolrException.ErrorCode.BAD_REQUEST, "Root element must be <elevate>");
+ }
+ NodeList queryNodes = doc.getDocumentElement().getElementsByTagName("query");
+ for (int i = 0; i < queryNodes.getLength(); i++) {
+ var queryNode = (Element) queryNodes.item(i);
+ var queryString = DOMUtil.getAttr(queryNode, "text", "missing query 'text'");
+ var matchString = DOMUtil.getAttr(queryNode, "match");
+ var elevatingQuery = new ElevatingQuery(queryString, isSubsetMatchPolicy(matchString));
+
+ NodeList docNodes = queryNode.getElementsByTagName("doc");
+ if (docNodes.getLength() == 0) { // weird
continue;
}
- ElevationBuilder elevationBuilder = new ElevationBuilder();
- for (int j = 0; j < children.getLength(); j++) {
- Node child = children.item(j);
- String id = DOMUtil.getAttr(child, "id", "missing 'id'");
- String e = DOMUtil.getAttr(child, EXCLUDE, null);
+ var elevationBuilder = new ElevationBuilder();
Review Comment:
IMO this is a perfect example where "var" is good. `ElevationBuilder elevationBuilder = new ...` is needless verbosity. Basically, when the variable name already communicates the type.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org