rmuir commented on issue #12023: URL: https://github.com/apache/lucene/issues/12023#issuecomment-1354168057
> Maybe will discuss the security part separately, but agree, one idea is to detect such queries and prevent running these queries in the first place, in this case(not the original issue) it was a bad query from an authenticated user. > Since this specific case and likes of these cannot be addressed by `ExitableDirectoryReaders` alone where looping over terms aren't involved, we need alternatives to cancel runaway queries if there are other requests which could exhibit a similar behaviour(tight loops consuming resources) It isn't separate. Look at the actual regexes: these are not normal user queries, they are malicious, constructed purposefully to cause problems. That's why the issue is improper security (e.g. authentication, audit logging etc). With these in place, if someone tries to run slow searches you will be able to attribute the malicious action to that human, hang, draw and quarter them, or whatever it is you want to do. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
