Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-13184

NPE due to missing input checking in ValueSourceParser

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 9.0
    • None

    Description

      Requesting the following URL causes Solr to return an HTTP 500 error response:

      http://localhost:8983/solr/films/select?q={!frange%20l=10%20u=100}joindf(genre:comedy,$x)
      

      The error response seems to be caused by the following uncaught exception:

      java.lang.NullPointerException
      at org.apache.lucene.queries.function.valuesource.JoinDocFreqValueSource.hashCode(JoinDocFreqValueSource.java:98)
      at org.apache.solr.search.function.ValueSourceRangeFilter.hashCode(ValueSourceRangeFilter.java:139)
      at org.apache.solr.search.SolrConstantScoreQuery.hashCode(SolrConstantScoreQuery.java:138)
      at org.apache.solr.search.QueryResultKey.<init>(QueryResultKey.java:46)
      at org.apache.solr.search.SolrIndexSearcher.getDocListC(SolrIndexSearcher.java:1328)
      at org.apache.solr.search.SolrIndexSearcher.search(SolrIndexSearcher.java:567)
      at org.apache.solr.handler.component.QueryComponent.doProcessUngroupedSearch(QueryComponent.java:1434)
      at org.apache.solr.handler.component.QueryComponent.process(QueryComponent.java:373)
      
      

      As far as I can tell, this bug comes about as follows: In org.apache.solr.search.ValueSourceParser, in the addParser(“joindf”, …) statement (lines 335-342), we extract the arguments f0 and qf without checking if these arguments could not be parsed. The test case produces a null pointer for the qfield field in the JoinDocFreqValueSource instance. This causes problems in hashcode (as evidenced in this bug), since it expects qfield to be non-null.

      Looking at the usages of qfield, it is generally expected to be non-null, so it seems we are missing input validation in the parser.

      We found this bug using Diffblue Microservices Testing. Find more information on this fuzz testing campaign.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            jkloos Johannes Kloos

            Dates

              Created:
              Updated:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 0.5h
                0.5h

                Slack

                  Issue deployment