epugh opened a new pull request, #4248: URL: https://github.com/apache/solr/pull/4248
https://issues.apache.org/jira/browse/SOLR-18170 # Description The Configsets API (both v1 and v2) accepted arbitrary names including invalid characters (`!`, `"`, `\`) and hyphen-prefixed names, while the Admin UI already enforced collection-style naming rules. This inconsistency allowed creation of unusable configsets and potential path traversal via names like `test/../other`. # Solution ## Changes - **`SolrIdentifierValidator`** — Added `CONFIGSET` to `IdentifierType` enum and `validateConfigSetName()` convenience method, applying the same pattern already used for collections/cores/shards (`^(?!\-)[\\._A-Za-z0-9\\-]+$`) - **`CloneConfigSet`** — Validate name before any other checks in `cloneExistingConfigSet()` (v2 CREATE) - **`UploadConfigSet`** — Validate name at entry of both `uploadConfigSet()` and `uploadConfigSetFile()` (v2 UPLOAD) - **`TestConfigSetsAPI`** — Added invalid-name assertions to `testCreateErrors()` and `testUploadErrors()` covering `configset!`, `configset"`, `-configset`, and names with spaces Invalid names now return HTTP 400: ``` Invalid configset: [configset!]. configset names must consist entirely of periods, underscores, hyphens, and alphanumerics as well as not start with a hyphen. ``` I also discovered that I think some of the `ignoreException()` and `unIgnoreException()` pairing in our tests are not needed. At least in `TestConfigSetsAPI` copilot added one, and I removed it and the test worked just fine. Also finally learned a bit more about the use of `LogListener`, but going to save dealing with those legacy pairigns for another PR. # Tests Added new tests. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
