[jira] [Commented] (SOLR-15330) Solr 7.5 memory leak and crash with sql injection type queries

Mon, 12 Apr 2021 13:20:37 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-15330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17319697#comment-17319697
 ] 

Jitesh J Vidhani commented on SOLR-15330:
-----------------------------------------

<analyzer type="index">
 <tokenizer class="solr.WhitespaceTokenizerFactory"/>
 <filter class="solr.SynonymGraphFilterFactory" 
synonyms="index_synonyms_case.txt" ignoreCase="false" expand="true"/>
 <filter class="solr.SynonymGraphFilterFactory" 
synonyms="index_synonyms_phrase.txt" ignoreCase="true" expand="true"/>
 <filter class="solr.SynonymGraphFilterFactory" synonyms="index_synonyms.txt" 
ignoreCase="true" expand="false"/>
 <filter class="solr.SynonymGraphFilterFactory" synonyms="synonyms.txt" 
ignoreCase="true" expand="true"/>
 <filter class="solr.StopFilterFactory" ignoreCase="true" 
words="stopwords_common.txt"/>
 <filter class="solr.StopFilterFactory" ignoreCase="false" 
words="stopwords_special.txt"/>
 <filter class="solr.WordDelimiterGraphFilterFactory" generateWordParts="1" 
generateNumberParts="1" catenateWords="1" catenateNumbers="1" catenateAll="0" 
splitOnCaseChange="1"/>
 <filter class="solr.FlattenGraphFilterFactory" />

<filter class="solr.LowerCaseFilterFactory"/>
 <filter class="solr.KeywordMarkerFilterFactory" protected="protwords.txt"/>
 <filter class="solr.PorterStemFilterFactory"/>
 </analyzer>
 <analyzer type="query">
 <tokenizer class="solr.WhitespaceTokenizerFactory"/>
 <filter class="solr.SynonymGraphFilterFactory" synonyms="synonyms.txt" 
ignoreCase="true" expand="false"/>
 <filter class="solr.StopFilterFactory" ignoreCase="true" 
words="stopwords_common.txt"/>
 <filter class="solr.WordDelimiterGraphFilterFactory" generateWordParts="1" 
generateNumberParts="1" catenateWords="0" catenateNumbers="0" catenateAll="0" 
splitOnCaseChange="1"/>
 <filter class="solr.LowerCaseFilterFactory"/>
 <filter class="solr.KeywordMarkerFilterFactory" protected="protwords.txt"/>
 <filter class="solr.PorterStemFilterFactory"/>
 </analyzer>

> Solr 7.5 memory leak and crash with sql injection type queries
> --------------------------------------------------------------
>
>                 Key: SOLR-15330
>                 URL: https://issues.apache.org/jira/browse/SOLR-15330
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: query, Server
>    Affects Versions: 7.5
>         Environment: Java 8 on CentOS 7.
>            Reporter: Jitesh J Vidhani
>            Priority: Major
>
> We have a set of standalone solr nodes running on Solr 7.5. We recently had a 
> few episodes where the entire cluster crashed and died all together. Digging 
> in a little, we found the culprits were some SQL injection attacks happening 
> on our site where the search term had SQL injection in it and that was fed 
> into the q param in solr. I was able to take a stable solr and isolate it and 
> just run 1 query and make it crash. Every time I would run a regular query 
> and see it work and then just change the q= parameter and that would time out 
> and eventually crash the solr instance. Here is the q param for the query I 
> ran:
> q=-6792)))+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,CHR(113)||CHR(98)||CHR(118)||CHR(113)||CHR(113)||CHR(104)||CHR(68)||CHR(86)||CHR(114)||CHR(109)||CHR(97)||CHR(89)||CHR(89)||CHR(112)||CHR(76)||CHR(90)||CHR(105)||CHR(113)||CHR(86)||CHR(102)||CHR(97)||CHR(108)||CHR(89)||CHR(83)||CHR(81)||CHR(107)||CHR(69)||CHR(111)||CHR(97)||CHR(75)||CHR(87)||CHR(68)||CHR(108)||CHR(73)||CHR(68)||CHR(86)||CHR(118)||CHR(101)||CHR(71)||CHR(78)||CHR(106)||CHR(106)||CHR(76)||CHR(65)||CHR(82)||CHR(113)||CHR(106)||CHR(98)||CHR(98)||CHR(113)+FROM+DUAL--+gKiW
> I even stripped out the "||" characters and replaced them with "," and it 
> still crashes. Please note these were SQL injection attacks and not real good 
> queries. The Solr GC log exposes the problem and shows the memory footprint 
> ballooning (from 2GB to 18GB within a minute) to the point where full garbage 
> collection fails and the Solr instance is unresponsive. So 1 query is able to 
> push it to the tipping point and consume 18GB of memory.
> I have tried searching for long description texts but that works fine. So 
> something with these characters is probably causing this. Does anyone know 
> how/why this might be happening?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to