[SOLR-13184] NPE due to missing input checking in ValueSourceParser - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 9.0
Fix Version/s: None
Component/s: SearchComponents - other
Labels:
- diffblue
- newdev
Environment:
Hide

Steps to reproduce

Use a Linux machine.

Build commit ea2c8ba of Solr as described in the section below.

Build the films collection as described below.

Start the server using the command ./bin/solr start -f -p 8983 -s /tmp/home

Request the URL given in the bug description.

Compiling the server

git clone https://github.com/apache/lucene-solr cd lucene-solr git checkout ea2c8ba ant compile cd solr ant server

Building the collection

We followed Exercise 2 from the Solr Tutorial. The attached file (home.zip) gives the contents of folder /tmp/home that you will obtain by following the steps below:

mkdir -p /tmp/home echo '<?xml version="1.0" encoding="UTF-8" ?><solr></solr>' > /tmp/home/solr.xml

In one terminal start a Solr instance in foreground:

./bin/solr start -f -p 8983 -s /tmp/home

In another terminal, create a collection of movies, with no shards and no replication, and initialize it:

bin/solr create -c films curl -X POST -H 'Content-type:application/json' --data-binary '{"add-field": {"name":"name", "type":"text_general", "multiValued":false, "stored":true}}' http://localhost:8983/solr/films/schema curl -X POST -H 'Content-type:application/json' --data-binary '{"add-copy-field" : {"source":"*","dest":"_text_"}}' http://localhost:8983/solr/films/schema ./bin/post -c films example/films/films.json
Show
Steps to reproduce Use a Linux machine. Build commit ea2c8ba of Solr as described in the section below. Build the films collection as described below. Start the server using the command ./bin/solr start -f -p 8983 -s /tmp/home Request the URL given in the bug description. Compiling the server git clone https://github.com/apache/lucene-solr cd lucene-solr git checkout ea2c8ba ant compile cd solr ant server Building the collection We followed Exercise 2 from the Solr Tutorial . The attached file ( home.zip ) gives the contents of folder /tmp/home that you will obtain by following the steps below: mkdir -p /tmp/home echo '<?xml version="1.0" encoding="UTF-8" ?><solr></solr>' > /tmp/home/solr.xml In one terminal start a Solr instance in foreground: ./bin/solr start -f -p 8983 -s /tmp/home In another terminal, create a collection of movies, with no shards and no replication, and initialize it: bin/solr create -c films curl -X POST -H 'Content-type:application/json' --data-binary '{"add-field": {"name":"name", "type":"text_general", "multiValued":false, "stored":true}}' http://localhost:8983/solr/films/schema curl -X POST -H 'Content-type:application/json' --data-binary '{"add-copy-field" : {"source":"*","dest":"_text_"}}' http://localhost:8983/solr/films/schema ./bin/post -c films example/films/films.json

Description

Requesting the following URL causes Solr to return an HTTP 500 error response:

http://localhost:8983/solr/films/select?q={!frange%20l=10%20u=100}joindf(genre:comedy,$x)

The error response seems to be caused by the following uncaught exception:

java.lang.NullPointerException
at org.apache.lucene.queries.function.valuesource.JoinDocFreqValueSource.hashCode(JoinDocFreqValueSource.java:98)
at org.apache.solr.search.function.ValueSourceRangeFilter.hashCode(ValueSourceRangeFilter.java:139)
at org.apache.solr.search.SolrConstantScoreQuery.hashCode(SolrConstantScoreQuery.java:138)
at org.apache.solr.search.QueryResultKey.<init>(QueryResultKey.java:46)
at org.apache.solr.search.SolrIndexSearcher.getDocListC(SolrIndexSearcher.java:1328)
at org.apache.solr.search.SolrIndexSearcher.search(SolrIndexSearcher.java:567)
at org.apache.solr.handler.component.QueryComponent.doProcessUngroupedSearch(QueryComponent.java:1434)
at org.apache.solr.handler.component.QueryComponent.process(QueryComponent.java:373)

As far as I can tell, this bug comes about as follows: In org.apache.solr.search.ValueSourceParser, in the addParser(“joindf”, …) statement (lines 335-342), we extract the arguments f0 and qf without checking if these arguments could not be parsed. The test case produces a null pointer for the qfield field in the JoinDocFreqValueSource instance. This causes problems in hashcode (as evidenced in this bug), since it expects qfield to be non-null.

Looking at the usages of qfield, it is generally expected to be non-null, so it seems we are missing input validation in the parser.

We found this bug using Diffblue Microservices Testing. Find more information on this fuzz testing campaign.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

home.zip
29/Jan/19 16:32
376 kB
Johannes Kloos

Issue Links

supercedes

LUCENE-8667 NPE due to missing input checking in ValueSourceParser

Closed

links to

GitHub Pull Request #1457

GitHub Pull Request #1472

Activity

People

Assignee:: Unassigned

Reporter:: Johannes Kloos

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 29/Jan/19 16:36

Updated:: 01/Feb/21 21:27

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

0.5h

Details

Steps to reproduce

Compiling the server

Building the collection

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Time Tracking