Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-16808

Solr publishes environment variables via the Metrics API

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 9.0
    • 9.3
    • metrics
    • None

    Description

      Much like sysPros, Solr apparently has published envVars through the metrics API since 9.0.

      As I mentioned in SOLR-15019, this is a big security issue and it should be removed. Before the release of 9.0, the use of this within the PlacementPlugins was removed, but the real issue of publishing via the metrics API was never addressed. (Weird, because I remember testing this out...)

      This is a security risk, because we have very little way of controlling what Environment Variables users use on their machines, and its too big of a burden to have them keep a list of these in their Solr.xml.

      We should remove this "metric" and create a bug-fix release.

      Attachments

        1. SOLR-16808.patch
          1 kB
          Houston Putman

        Issue Links

          Activity

            houston Houston Putman added a comment -

            The patch is up. The fix is very simple, we just need to add an upgrade notes that the envVars are no longer exposed via the metrics API.

            houston Houston Putman added a comment - The patch is up. The fix is very simple, we just need to add an upgrade notes that the envVars are no longer exposed via the metrics API.
            krisden Kevin Risden added a comment -

            +1 to the patch. Looks good to me. Based on reading SOLR-15019, it looks like the revert at the end was to to remove env vars but somehow this slipped through.

            krisden Kevin Risden added a comment - +1 to the patch. Looks good to me. Based on reading SOLR-15019 , it looks like the revert at the end was to to remove env vars but somehow this slipped through.
            dsmiley David Smiley added a comment -

            +1 to remove the env vars from the metrics API.

            dsmiley David Smiley added a comment - +1 to remove the env vars from the metrics API.
            houston Houston Putman added a comment -

            Closing after the 9.3.0 release

            houston Houston Putman added a comment - Closing after the 9.3.0 release

            People

              houston Houston Putman
              houston Houston Putman
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: