[ https://issues.apache.org/jira/browse/SOLR-15330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17319697#comment-17319697 ]
Jitesh J Vidhani commented on SOLR-15330: ----------------------------------------- <analyzer type="index"> <tokenizer class="solr.WhitespaceTokenizerFactory"/> <filter class="solr.SynonymGraphFilterFactory" synonyms="index_synonyms_case.txt" ignoreCase="false" expand="true"/> <filter class="solr.SynonymGraphFilterFactory" synonyms="index_synonyms_phrase.txt" ignoreCase="true" expand="true"/> <filter class="solr.SynonymGraphFilterFactory" synonyms="index_synonyms.txt" ignoreCase="true" expand="false"/> <filter class="solr.SynonymGraphFilterFactory" synonyms="synonyms.txt" ignoreCase="true" expand="true"/> <filter class="solr.StopFilterFactory" ignoreCase="true" words="stopwords_common.txt"/> <filter class="solr.StopFilterFactory" ignoreCase="false" words="stopwords_special.txt"/> <filter class="solr.WordDelimiterGraphFilterFactory" generateWordParts="1" generateNumberParts="1" catenateWords="1" catenateNumbers="1" catenateAll="0" splitOnCaseChange="1"/> <filter class="solr.FlattenGraphFilterFactory" /> <filter class="solr.LowerCaseFilterFactory"/> <filter class="solr.KeywordMarkerFilterFactory" protected="protwords.txt"/> <filter class="solr.PorterStemFilterFactory"/> </analyzer> <analyzer type="query"> <tokenizer class="solr.WhitespaceTokenizerFactory"/> <filter class="solr.SynonymGraphFilterFactory" synonyms="synonyms.txt" ignoreCase="true" expand="false"/> <filter class="solr.StopFilterFactory" ignoreCase="true" words="stopwords_common.txt"/> <filter class="solr.WordDelimiterGraphFilterFactory" generateWordParts="1" generateNumberParts="1" catenateWords="0" catenateNumbers="0" catenateAll="0" splitOnCaseChange="1"/> <filter class="solr.LowerCaseFilterFactory"/> <filter class="solr.KeywordMarkerFilterFactory" protected="protwords.txt"/> <filter class="solr.PorterStemFilterFactory"/> </analyzer> > Solr 7.5 memory leak and crash with sql injection type queries > -------------------------------------------------------------- > > Key: SOLR-15330 > URL: https://issues.apache.org/jira/browse/SOLR-15330 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: query, Server > Affects Versions: 7.5 > Environment: Java 8 on CentOS 7. > Reporter: Jitesh J Vidhani > Priority: Major > > We have a set of standalone solr nodes running on Solr 7.5. We recently had a > few episodes where the entire cluster crashed and died all together. Digging > in a little, we found the culprits were some SQL injection attacks happening > on our site where the search term had SQL injection in it and that was fed > into the q param in solr. I was able to take a stable solr and isolate it and > just run 1 query and make it crash. Every time I would run a regular query > and see it work and then just change the q= parameter and that would time out > and eventually crash the solr instance. Here is the q param for the query I > ran: > q=-6792)))+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,CHR(113)||CHR(98)||CHR(118)||CHR(113)||CHR(113)||CHR(104)||CHR(68)||CHR(86)||CHR(114)||CHR(109)||CHR(97)||CHR(89)||CHR(89)||CHR(112)||CHR(76)||CHR(90)||CHR(105)||CHR(113)||CHR(86)||CHR(102)||CHR(97)||CHR(108)||CHR(89)||CHR(83)||CHR(81)||CHR(107)||CHR(69)||CHR(111)||CHR(97)||CHR(75)||CHR(87)||CHR(68)||CHR(108)||CHR(73)||CHR(68)||CHR(86)||CHR(118)||CHR(101)||CHR(71)||CHR(78)||CHR(106)||CHR(106)||CHR(76)||CHR(65)||CHR(82)||CHR(113)||CHR(106)||CHR(98)||CHR(98)||CHR(113)+FROM+DUAL--+gKiW > I even stripped out the "||" characters and replaced them with "," and it > still crashes. Please note these were SQL injection attacks and not real good > queries. The Solr GC log exposes the problem and shows the memory footprint > ballooning (from 2GB to 18GB within a minute) to the point where full garbage > collection fails and the Solr instance is unresponsive. So 1 query is able to > push it to the tipping point and consume 18GB of memory. > I have tried searching for long description texts but that works fine. So > something with these characters is probably causing this. Does anyone know > how/why this might be happening? -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org