SOLR-18170: add validation for configset names#4248
Merged
epugh merged 6 commits intoapache:mainfrom Mar 31, 2026
Merged
Conversation
- Add CONFIGSET to SolrIdentifierValidator.IdentifierType enum - Add validateConfigSetName() method in SolrIdentifierValidator - Validate configset name in CloneConfigSet.cloneExistingConfigSet() - Validate configset name in UploadConfigSet.uploadConfigSet() and uploadConfigSetFile() - Add tests for invalid configset names in TestConfigSetsAPI Agent-Logs-Url: https://github.com/epugh/solr/sessions/0bc6a4dc-739c-4e58-b626-e30446c4864b Co-authored-by: epugh <22395+epugh@users.noreply.github.com>
…list Agent-Logs-Url: https://github.com/epugh/solr/sessions/0bc6a4dc-739c-4e58-b626-e30446c4864b Co-authored-by: epugh <22395+epugh@users.noreply.github.com>
epugh
commented
Mar 29, 2026
| // Checking error when configuration name contains invalid characters | ||
| for (String invalidName : new String[] {"configset!", "-configset"}) { | ||
| map = | ||
| postDataAndGetResponse( |
Contributor
Author
There was a problem hiding this comment.
In another PR, this will move to strongly typed SolrJ object.
Contributor
Author
|
Test that failed is a known buggy test... Once I get a review, or no review and no "this isn't right" then I'll merge, mid week say? |
malliaridis
approved these changes
Mar 30, 2026
Contributor
malliaridis
left a comment
malliaridis
left a comment
There was a problem hiding this comment.
This seems pretty much like just including configsets validation. I tested it manually by making direct API calls as well, and it works as expcted, nice.
I do not know all the options we have for creating configsets, so maybe another reviewer would be good?
…ion-for-configset-names
epugh
added a commit
that referenced
this pull request
Mar 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://issues.apache.org/jira/browse/SOLR-18170
Description
The Configsets API (both v1 and v2) accepted arbitrary names including invalid characters (
!,",\) and hyphen-prefixed names, while the Admin UI already enforced collection-style naming rules. This inconsistency allowed creation of unusable configsets and potential path traversal via names liketest/../other.Solution
Changes
SolrIdentifierValidator— AddedCONFIGSETtoIdentifierTypeenum andvalidateConfigSetName()convenience method, applying the same pattern already used for collections/cores/shards (^(?!\-)[\\._A-Za-z0-9\\-]+$)CloneConfigSet— Validate name before any other checks incloneExistingConfigSet()(v2 CREATE)UploadConfigSet— Validate name at entry of bothuploadConfigSet()anduploadConfigSetFile()(v2 UPLOAD)TestConfigSetsAPI— Added invalid-name assertions totestCreateErrors()andtestUploadErrors()coveringconfigset!,configset",-configset, and names with spacesInvalid names now return HTTP 400:
I also discovered that I think some of the
ignoreException()andunIgnoreException()pairing in our tests are not needed. At least inTestConfigSetsAPIcopilot added one, and I removed it and the test worked just fine. Also finally learned a bit more about the use ofLogListener, but going to save dealing with those legacy pairigns for another PR.Tests
Added new tests.