Apache
/
lucene
mirror of https://github.com/apache/lucene.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SOLR-11971: Don't allow referal to external resources in DataImportHandler's dataConfig request parameter

This commit is contained in:
Uwe Schindler 2018-02-18 22:41:06 +01:00
parent b4f8cd7ea6
commit 02c693f371
3 changed files with 36 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
solr/CHANGES.txt
View File

@ -214,6 +214,9 @@ Bug Fixes
* SOLR-11988: Fix exists() method in EphemeralDirectoryFactory/MockDirectoryFactory to prevent false positives (hossman)
* SOLR-11971: Don't allow referal to external resources in DataImportHandler's dataConfig request parameter.
(麦 香浓郁, Uwe Schindler)
Optimizations
----------------------

17
solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java
View File

@ -16,6 +16,7 @@
*/
package org.apache.solr.handler.dataimport;
import org.apache.solr.common.EmptyEntityResolver;
import org.apache.solr.common.SolrException;
import org.apache.solr.core.SolrCore;
import org.apache.solr.schema.IndexSchema;
@ -178,11 +179,11 @@ public class DataImporter {
/**
* Used by tests
*/
public void loadAndInit(String configStr) {
void loadAndInit(String configStr) {
config = loadDataConfig(new InputSource(new StringReader(configStr)));
}
public void loadAndInit(InputSource configFile) {
void loadAndInit(InputSource configFile) {
config = loadDataConfig(configFile);
}
@ -191,8 +192,10 @@ public class DataImporter {
DIHConfiguration dihcfg = null;
try {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setValidating(false);
// only enable xinclude, if a a SolrCore and SystemId is present (makes no sense otherwise)
// only enable xinclude, if XML is coming from safe source (local file)
// and a a SolrCore and SystemId is present (makes no sense otherwise):
if (core != null && configFile.getSystemId() != null) {
try {
dbf.setXIncludeAware(true);
@ -203,8 +206,14 @@ public class DataImporter {
}
DocumentBuilder builder = dbf.newDocumentBuilder();
if (core != null)
// only enable xinclude / external entities, if XML is coming from
// safe source (local file) and a a SolrCore and SystemId is present:
if (core != null && configFile.getSystemId() != null) {
builder.setEntityResolver(new SystemIdResolver(core.getResourceLoader()));
} else {
// Don't allow external entities without having a system ID:
builder.setEntityResolver(EmptyEntityResolver.SAX_INSTANCE);
}
builder.setErrorHandler(XMLLOG);
Document document;
try {

20
solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java
View File

@ -89,6 +89,13 @@ public class TestErrorHandling extends AbstractDataImportHandlerTestCase {
assertQ(req("*:*"), "//*[@numFound='3']");
}
public void testExternalEntity() throws Exception {
StringDataSource.xml = wellformedXml;
// This should not fail as external entities are replaced by an empty string during parsing:
runFullImport(dataConfigWithEntity);
assertQ(req("*:*"), "//*[@numFound='3']");
}
public static class StringDataSource extends DataSource<Reader> {
public static String xml = "";
@ -157,6 +164,19 @@ public class TestErrorHandling extends AbstractDataImportHandlerTestCase {
" </document>\n" +
"</dataConfig>";
private String dataConfigWithEntity = "<!DOCTYPE dataConfig [\n" +
" <!ENTITY internalTerm \"node\">\n" +
" <!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" +
"]><dataConfig>\n" +
" <dataSource name=\"str\" type=\"TestErrorHandling$StringDataSource\" />" +
" <document>\n" +
" <entity name=\"&internalTerm;\" dataSource=\"str\" processor=\"XPathEntityProcessor\" url=\"test\" forEach=\"/root/node\" onError=\"skip\">\n" +
" <field column=\"id\" xpath=\"/root/node/id\">&externalTerm;</field>\n" +
" <field column=\"desc\" xpath=\"/root/node/desc\" />\n" +
" </entity>\n" +
" </document>\n" +
"</dataConfig>";
private String malformedXml = "<root>\n" +
" <node>\n" +
" <id>1</id>\n" +