Solr LocalParams and Security

Local Parameters are often called as LocalParams. Using this we can “localize” information about an argument that is being sent to Solr through Solr query. its another way of adding extra information about certain argument types such as query strings. They can be expressed as prefixes to arguments to be sent to Solr.

For example: Suppose we have existing query parameter as q=cancer treatment. We can prefix this query string with LocalParams to provide more information to the query parser, for example changing the minimum match(mm) to 2, query field “article” and query type is “edismax” . Below query will fetch all documents for which article field has minimum two-term matches from a query.

q={!edismax qf=article mm=2 v=”cancer treatment”}
Syntax : 

  1. It begins with {!
  1. edismax is query type, we can also specify using type=edismax. If no type is specified then Lucene parser is used by default.
  1. qf and mm are edismax parameters. We can add any number of key=value pairs separated by white space.
  1. v is used to specify our query parameter.
  1. End with }

Parameter Dereferencing:
Rather than specifying arguments directly we can use value of another argument. This will further simplify queries. This way we can decouple front-end GUI parameters from defaults set in solrconfig.xml.
q={!edismax qf=journal mm=2 v=”cancer treatment”}
is equivalent to
q={!edismax qf=journal mm=$mm_value v=$qq}&qq=’cancer treatment’&mm_value=2

Many Solr based search engines do not handle search string properly and allow the LocalParams syntax to pass through. This will make things easier for hackers to inject whatever local parameters you want to into the query. Example of this is rows parameter {! rows=5000}, but there probably are other ways to abuse this functionality.

If you send a search query that returns in a great number of hits (*:* query) and prefix it with {! rows=total_results_we_got _for_previous_query}. This will create load on server because it has to serve you all these results on one page. For this some sites will take a very long time. Sending large number of these requests simultaneously someone can carry out a Denial of Service attack against the search server.

This issue was reported to some websites also you can find more info here.

Write a comment
Cancel Reply
  • sachin shinde September 1, 2015, 11:43 am
    Ultimate blog.....explicitly security view for Solr query.