Issue 17332

Supplying a value to an API parameter that is also a SOLR Keyword causes a 500 Error

17332
Reporter: godfoder
Assignee: fmendez
Type: Bug
Summary: Supplying a value to an API parameter that is also a SOLR Keyword causes a 500 Error
Priority: Major
Resolution: Fixed
Status: Resolved
Created: 2015-02-27 20:51:30.871
Updated: 2015-03-05 00:51:40.484
Resolved: 2015-03-05 00:51:40.459
        
Description: curl "http://api.gbif.org/v1/occurrence/search?institutionCode=MSU&collectionCode=OR&limit=0

results in:

Problem accessing /occurrence/search. Reason:

    Server Error

Caused by:

org.apache.solr.client.solrj.impl.HttpSolrServer$RemoteSolrException: org.apache.solr.search.SyntaxError: Cannot parse '(collection_code:OR) AND (institution_code:MSU)': Encountered " <OR> "OR "" at line 1, column 17.

Also trigger-able from the portal at:
http://www.gbif.org/occurrence/search?COLLECTION_CODE=OR

I haven't tried, because i don't want to break anything, but i wouldn't be surprised if this was a slightly more benign form of injection attack (since that endpoint should be read only) that could nevertheless leave you open  to a DOS risk via specially crafted expensive SOLR queries.]]>
    


Author: fmendez@gbif.org
Created: 2015-03-05 00:51:40.481
Updated: 2015-03-05 00:51:40.481
        
This issues was addressed with the following commits:
https://github.com/gbif/common-search/commit/ba6c852799dd323c11cffd58b50f61bc0e94ed36

https://github.com/gbif/occurrence/commit/20963f2ceae7ee3b7cfb990cbc14e25cd871d913

https://github.com/gbif/checklistbank/commit/eabd961df68e982fe92277f18408d32c60d4b027

https://github.com/gbif/registry/commit/b1d3b8eaf1bfecaaf17595b651392930908267fc