Skip to content

Add input validation to prevent Solr injection in query construction#27

Closed
Copilot wants to merge 3 commits intoindex_creatorsfrom
copilot/sub-pr-8-another-one
Closed

Add input validation to prevent Solr injection in query construction#27
Copilot wants to merge 3 commits intoindex_creatorsfrom
copilot/sub-pr-8-another-one

Conversation

Copy link
Contributor

Copilot AI commented Feb 26, 2026
edited
Loading

The _execute_solr_query method constructs Solr queries by directly joining query parts without validation. While current usage only passes internal strings, this pattern creates injection risk if user-controlled data is added later.

Changes

  • Added _validate_solr_query_part(): Validates query parts against shell injection patterns (;, ${...}, backticks, command chaining) and Solr-specific attacks (LocalParams {!...}, XSS vectors)

  • Added _validate_solr_field_name(): Restricts field names to [a-zA-Z0-9_-]+ to prevent injection through field parameters

  • Modified _execute_solr_query(): Validates all query parts and field names before query construction, returns empty list on validation failure

# Before: Direct string concatenation
query_string = " AND ".join(query_parts)

# After: Validated inputs
for part in query_parts:
    if not self._validate_solr_query_part(part):
        return []
query_string = " AND ".join(query_parts)

All existing queries pass validation. Defense-in-depth approach protects against future modifications.

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

Copilot AI mentioned this pull request Feb 26, 2026
Closed
Copilot AI and others added 2 commits February 26, 2026 21:38
@alexdryden
Add input validation for Solr queries to prevent injection attacks
411b5b5 
Co-authored-by: alexdryden <47127862+alexdryden@users.noreply.github.com>
@alexdryden
Enhance validation to include Solr-specific injection patterns
682cb18 
Co-authored-by: alexdryden <47127862+alexdryden@users.noreply.github.com>
Copilot AI changed the title [WIP] Update Creator Record Generation and Automatic Indexing PR Add input validation to prevent Solr injection in query construction Feb 26, 2026
@alexdryden
Copy link
Contributor

alexdryden commented Feb 26, 2026

This isn't a real issue since we are only ever passing in params defined in the code.

@alexdryden alexdryden closed this Feb 26, 2026
@alexdryden alexdryden deleted the copilot/sub-pr-8-another-one branch February 26, 2026 22:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@alexdryden alexdryden

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexdryden