Solr LocalParams and Security


By: Vijay Mhaskar | August 7, 2015

Introduction : 

Local Parameters are often called as LocalParams. Using this we can “localize” information about an argument that is being sent to Solr through Solr query. its another way of adding extra information about certain argument types such as query strings. They can be expressed as prefixes to arguments to be sent to Solr.

For example: Suppose we have existing query parameter as q=cancer treatment. We can prefix this query string with LocalParams to provide more information to the query parser, for example changing the minimum match(mm) to 2 ,query field “article” and query type is “edismax” . Below query will fetch all documents for which article field has minimum two term matches from query.

q={!edismax qf=article mm=2 v=”cancer treatment”}

Syntax : 

  1. It begins with {!
  2. edismax is query type, we can also specify using type=edismax. If no type is specified then lucene parser is used by default.
  3. qf and mm are edismax parameters. We can add any number of key=value pairs separated by white space.
  4. v is used to specify our query parameter.
  5. End with }

Parameter Dereferencing :

Rather than specifying arguments directly we can use value of another argument. This will further simplify queries. This way we can decouple front-end GUI parameters from defaults set in solrconfig.xml.
Here,
q={!edismax qf=journal mm=2 v=”cancer treatment”}
is equivalent to
q={!edismax qf=journal mm=$mm_value v=$qq}&qq=’cancer treatment’&mm_value=2

Security :

Many Solr based search engines do not handle search string properly and allow the LocalParams syntax to pass through. This will make things easier for hackers to inject whatever local parameters you want to into the query. Example of this is rows parameter {! rows=5000}, but there probably are other ways to abuse this functionality.

If you send a search query that returns in a great number of hits (*:* query) and prefix it with {! rows=total_results_we_got _for_previous_query}. This will create load on server because it has to serve you all these results on one page. For this some sites will take a very long time. Sending large number of these requests simultaneously someone can carry out a Denial of Service attack against the search server.

This issue was reported to some websites also you can find more info here,

http://javahacker.com/abusing-the-solr-local-parameters-feature-localparams-injection/

This post has been viewed 4,888 times

One thought on “Solr LocalParams and Security

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>