Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-13184

NPE due to missing input checking in ValueSourceParser

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: master (9.0)
    • Fix Version/s: None
    • Labels:
    • Environment:

      Description

      Requesting the following URL causes Solr to return an HTTP 500 error response:

      http://localhost:8983/solr/films/select?q={!frange%20l=10%20u=100}joindf(genre:comedy,$x)
      

      The error response seems to be caused by the following uncaught exception:

      java.lang.NullPointerException
      at org.apache.lucene.queries.function.valuesource.JoinDocFreqValueSource.hashCode(JoinDocFreqValueSource.java:98)
      at org.apache.solr.search.function.ValueSourceRangeFilter.hashCode(ValueSourceRangeFilter.java:139)
      at org.apache.solr.search.SolrConstantScoreQuery.hashCode(SolrConstantScoreQuery.java:138)
      at org.apache.solr.search.QueryResultKey.<init>(QueryResultKey.java:46)
      at org.apache.solr.search.SolrIndexSearcher.getDocListC(SolrIndexSearcher.java:1328)
      at org.apache.solr.search.SolrIndexSearcher.search(SolrIndexSearcher.java:567)
      at org.apache.solr.handler.component.QueryComponent.doProcessUngroupedSearch(QueryComponent.java:1434)
      at org.apache.solr.handler.component.QueryComponent.process(QueryComponent.java:373)
      
      

      As far as I can tell, this bug comes about as follows: In org.apache.solr.search.ValueSourceParser, in the addParser(“joindf”, …) statement (lines 335-342), we extract the arguments f0 and qf without checking if these arguments could not be parsed. The test case produces a null pointer for the qfield field in the JoinDocFreqValueSource instance. This causes problems in hashcode (as evidenced in this bug), since it expects qfield to be non-null.

      Looking at the usages of qfield, it is generally expected to be non-null, so it seems we are missing input validation in the parser.

      We found this bug using Diffblue Microservices Testing. Find more information on this fuzz testing campaign.

        Attachments

        1. home.zip
          376 kB
          Johannes Kloos

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jkloos Johannes Kloos
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: