[GitHub] [lucene-solr] nsoft commented on a change in pull request #976: SOLR-13749: Implement support for joining across collections with multiple shards

Thu, 05 Dec 2019 08:36:24 -0800 

nsoft commented on a change in pull request #976: SOLR-13749: Implement support 
for joining across collections with multiple shards
URL: https://github.com/apache/lucene-solr/pull/976#discussion_r354419876
 
 

 ##########
 File path: solr/core/src/java/org/apache/solr/search/join/XCJFQParser.java
 ##########
 @@ -46,17 +46,25 @@
           QueryParsing.TYPE, QueryParsing.V, ZK_HOST, SOLR_URL, COLLECTION, 
FROM, TO, ROUTED_BY_JOIN_KEY, TTL));
 
   private final String routerField;
+  private final Set<String> solrUrlWhitelist;
 
-  public XCJFQParser(String qstr, SolrParams localParams, SolrParams params, 
SolrQueryRequest req, String routerField) {
+  public XCJFQParser(String qstr, SolrParams localParams, SolrParams params, 
SolrQueryRequest req, String routerField, Set<String> solrUrlWhiteList) {
     super(qstr, localParams, params, req);
     this.routerField = routerField;
+    // If specified in the config, this will limit which solr url's the parser 
can connect to.
+    this.solrUrlWhitelist = solrUrlWhiteList;
   }
 
   @Override
   public Query parse() throws SyntaxError {
     String query = localParams.get(QueryParsing.V);
     String zkHost = localParams.get(ZK_HOST);
     String solrUrl = localParams.get(SOLR_URL);
+    // Test if this is a valid solr url.
 
 Review comment:
   This looks good, but I think we need to make it secure by default. Security 
flaws have recently become a big pain point in the community, having had 5 
CVE's in 2019.... Do you mind if I add another if that fails with advice that a 
white list is required, when none is configured? For expedience I can make this 
change and we can punt an "insecure, talk to anyone, mode" to a later ticket if 
you like.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to