[PR] fix(security): prevent Solr local-param injection in SearchService.search [solr-mcp]

Sat, 02 May 2026 14:04:49 -0700 


adityamparikh opened a new pull request, #122:
URL: https://github.com/apache/solr-mcp/pull/122

   ## Summary
   
   \`SearchService.search\` previously passed the user's \`query\` argument 
straight to Solr's standard query parser via \`solrQuery.setQuery(query)\`. 
Solr's standard parser honors \`{!parser arg=val}\` local-param prefixes, which 
lets a caller switch parsers mid-query — including:
   
   - \`{!xmlparser ...}\` — historical XXE/RCE 
([CVE-2017-12629](https://nvd.nist.gov/vuln/detail/CVE-2017-12629))
   - \`{!join from=… fromIndex=other …}\` — cross-collection reads
   - \`{!func}\` / \`_val_:\` — DoS-grade function plans
   
   This PR binds the user's input to a separate \`qq\` request parameter and 
references it from a constant \`q={!edismax v=\$qq}\`, so the standard parser 
never sees raw user input. eDisMax does not honor a \`{!parser …}\` prefix 
inside its input, so the injection vectors are treated as literal characters.
   
   Reference: [Solr Reference Guide — Parameter 
Substitution](https://solr.apache.org/guide/solr/latest/query-guide/common-query-parameters.html#parameter-substitution).
   
   ## Test plan
   - [x] Five new unit tests in \`SearchServiceTest\` cover blank query, plain 
query, \`{!xmlparser}\` injection, \`{!join}\` injection, and \`_val_:\` 
function-query injection — all assert the malicious string lands in \`qq\`, not 
in \`q\`
   - [x] Three existing tests updated to match the new q/qq construction
   - [x] \`./gradlew test --tests \"*SearchService*\"\` passes
   - [x] \`./gradlew build\` passes (full test suite)
   
   ## References
   - [CWE-943: Improper Neutralization of Special Elements in Data Query 
Logic](https://cwe.mitre.org/data/definitions/943.html)
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to