Hey Walter, Can you set the value for start (0) and rows (your default sensible response row size) as an invariant in the request handler you're using so it can't be overridden from a client request? That's how I've defended against it from Solr's perspective in the past. This can be hard coded in your request handler in the XML of your solr-config or using the parameters API. I've found it simple but effective approach and there's an example here from the docs (https://solr.apache.org/guide/8_8/requesthandlers-and-searchcomponents-in-solrconfig.html#request-handlers).
Thanks, Dwane ________________________________ From: Walter Underwood <[email protected]> Sent: Saturday, 26 June 2021 6:39 AM To: [email protected] <[email protected]> Subject: Re: Defense against deep paging? Thanks, that is exactly the info I wanted! I’ve commented there, even though it is closed as Won’t Do. wunder Walter Underwood [email protected] http://observer.wunderwood.org/ (my blog) > On Jun 25, 2021, at 12:46 PM, Mike Drob <[email protected]> wrote: > > This was discussed somewhat in > https://issues.apache.org/jira/browse/SOLR-15252 with no > implementation provided. > > On Fri, Jun 25, 2021 at 11:52 AM Walter Underwood <[email protected]> > wrote: >> >> I already said that we have a limit in the client code. I’m asking about a >> limit in Solr. >> >> wunder >> Walter Underwood >> [email protected] >> http://observer.wunderwood.org/ (my blog) >> >>> On Jun 25, 2021, at 11:50 AM, Håvard Wahl Kongsgård >>> <[email protected]> wrote: >>> >>> Just create a proxy client between the user and solr. Set if page >= 500 …. >>> else >>> >>> Simple stuff >>> >>> fre. 25. jun. 2021 kl. 19:20 skrev Walter Underwood <[email protected]>: >>> >>>> Has anyone implemented protection against deep paging inside Solr? I’m >>>> thinking about something like a max_rows parameter, where if start+rows was >>>> greater than that, it would limit the max result to that number. Or maybe >>>> just return a 400, that would be OK too. >>>> >>>> I’ve had three or four outages caused by deep paging over the past dozen >>>> years with Solr. We implement a limit in the client code, then someone >>>> forgets to add it to the redesigned client code. A limit in the request >>>> handler would be so much easier. >>>> >>>> And yes, I know about cursor marks. We don’t want to enable deep paging, >>>> we want to stop it. >>>> >>>> wunder >>>> Walter Underwood >>>> [email protected] >>>> http://observer.wunderwood.org/ (my blog) >>>> >>>> -- >>> Håvard Wahl Kongsgård >>> Data Scientist >>
