Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Prevent from solr query injections, when using solrj

Query to HttpSolrServer.

SolrQuery solrQuery = new SolrQuery();
solrQuery.setQuery(q);
QueryResponse queryResponse = solrServer.query(solrQuery);

I need to build a solr query, something like "author:*user_inputed_text* title:*user_inputed_text*" I need something like PreparedStatement, but I couldn't find something like that in solrj library. How to construct query that would not containt injection? How to make the string inputed by user - \user_input_text\ safe?

I am constructing query using concatenation. When I have, for example this code:

public String buildQuery(String userInputedText) {
    String query = "author:*" + userInputedText + "* OR title:*" + userInputedText + "*";
}

Then user can inject some subquery and receive the results, that is not restricted. For example inputed string was: " OR title:". So, the whole query will be: author:* OR title:* OR title:* OR title:*

In this case user receives all the results (they are not limited) and passes the pattern author:*?* OR title:*?*.

like image 815
John Avatar asked Nov 11 '14 10:11

John


1 Answers

Please consider use of a built-in solrj ClientUtils utility class. By means of which you can escape userInputText

String escapedUserInputText = ClientUtils.escapeQueryChars(userInputText)

For more details take a look at the queryparser syntax page.

like image 96
Dmytro Chyzhykov Avatar answered Oct 22 '22 05:10

Dmytro Chyzhykov