From 9118b3f3d8a2b62258e68bbf1c904fbc0ee58b61 Mon Sep 17 00:00:00 2001
From: Ishan Chattopadhyaya <ishan@apache.org>
Date: Mon, 6 Nov 2023 22:28:07 +0530
Subject: [PATCH] SOLR-16781: <lib ../> directive disabled by default

---
 solr/CHANGES.txt                              |  9 ++++
 .../java/org/apache/solr/core/SolrConfig.java |  6 +++
 .../configsets/_default/conf/solrconfig.xml   | 45 -------------------
 solr/solr-ref-guide/src/configsets-api.adoc   |  2 +-
 solr/solr-ref-guide/src/libs.adoc             |  5 +++
 5 files changed, 21 insertions(+), 46 deletions(-)

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index e71c21e322e..73c17993a6b 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -8,11 +8,20 @@ https://github.com/apache/solr/blob/main/solr/solr-ref-guide/src/solr-upgrade-no
 
 Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
 
+Upgrade Notes
+--------------------- 
+
+* If your configset contains solrconfig.xml which uses <lib .. /> tags, you either need to remove them (and place your jar files
+  in the standard classpath instead) or use -Dsolr.lib.directive.allowed=true start up parameter for your Solr nodes. This is a
+  security measure to protect against RCE attacks. More details are in SOLR-16781.
+
 New Features
 ---------------------
 
 * SOLR-15694, 15715: Node roles and dedicated query coordinator nodes (Hitesh Khamesra, Ishan Chattopadhyaya, noble)
 
+* SOLR-16781: Disable <lib> directives in solrconfig.xml by default (Ishan Chattopadhyaya)
+
 Bug Fixes
 ---------------------
 * SOLR-16429: Add AWS STS support in s3-repository (Josh Souza via Houston Putman and Kevin Risden)
diff --git a/solr/core/src/java/org/apache/solr/core/SolrConfig.java b/solr/core/src/java/org/apache/solr/core/SolrConfig.java
index dfe8313f725..8806bd5b431 100644
--- a/solr/core/src/java/org/apache/solr/core/SolrConfig.java
+++ b/solr/core/src/java/org/apache/solr/core/SolrConfig.java
@@ -843,8 +843,14 @@ private void initLibs(SolrResourceLoader loader, boolean isConfigsetTrusted) {
       }
     }
 
+    boolean libDirectiveAllowed = Boolean.getBoolean(System.getProperty("solr.lib.directive.allowed", "false"));
     List<ConfigNode> nodes = root.getAll("lib");
     if (nodes != null && nodes.size() > 0) {
+      if (!libDirectiveAllowed) {
+        throw new SolrException(ErrorCode.UNAUTHORIZED,
+            "<lib .. /> directive is not allowed to be used in a configset unless the Solr node is started with "
+            + "'-Dsolr.lib.directive.allowed=true'. Please remove the <lib .. /> from your solrconfig.xml and try again.");
+      }
       if (!isConfigsetTrusted) {
         throw new SolrException(ErrorCode.UNAUTHORIZED,
           "The configset for this collection was uploaded without any authentication in place,"
diff --git a/solr/server/solr/configsets/_default/conf/solrconfig.xml b/solr/server/solr/configsets/_default/conf/solrconfig.xml
index 762d4e67122..cf2430567ff 100644
--- a/solr/server/solr/configsets/_default/conf/solrconfig.xml
+++ b/solr/server/solr/configsets/_default/conf/solrconfig.xml
@@ -37,51 +37,6 @@
   -->
   <luceneMatchVersion>8.11.3</luceneMatchVersion>
 
-  <!-- <lib/> directives can be used to instruct Solr to load any Jars
-       identified and use them to resolve any "plugins" specified in
-       your solrconfig.xml or schema.xml (ie: Analyzers, Request
-       Handlers, etc...).
-
-       All directories and paths are resolved relative to the
-       instanceDir.
-
-       Please note that <lib/> directives are processed in the order
-       that they appear in your solrconfig.xml file, and are "stacked"
-       on top of each other when building a ClassLoader - so if you have
-       plugin jars with dependencies on other jars, the "lower level"
-       dependency jars should be loaded first.
-
-       If a "./lib" directory exists in your instanceDir, all files
-       found in it are included as if you had used the following
-       syntax...
-
-              <lib dir="./lib" />
-    -->
-
-  <!-- A 'dir' option by itself adds any files found in the directory
-       to the classpath, this is useful for including all jars in a
-       directory.
-
-       When a 'regex' is specified in addition to a 'dir', only the
-       files in that directory which completely match the regex
-       (anchored on both ends) will be included.
-
-       If a 'dir' option (with or without a regex) is used and nothing
-       is found that matches, a warning will be logged.
-
-       The example below can be used to load a solr-contrib along
-       with their external dependencies.
-    -->
-    <!-- <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-ltr-\d.*\.jar" /> -->
-
-  <!-- an exact 'path' can be used instead of a 'dir' to specify a
-       specific jar file.  This will cause a serious error to be logged
-       if it can't be loaded.
-    -->
-  <!--
-     <lib path="../a-jar-that-does-not-exist.jar" />
-  -->
-
   <!-- Data Directory
 
        Used to specify an alternate directory to hold all index data
diff --git a/solr/solr-ref-guide/src/configsets-api.adoc b/solr/solr-ref-guide/src/configsets-api.adoc
index ac492b1764f..5c1cec66681 100644
--- a/solr/solr-ref-guide/src/configsets-api.adoc
+++ b/solr/solr-ref-guide/src/configsets-api.adoc
@@ -90,7 +90,7 @@ A configset is uploaded in a "trusted" mode if authentication is enabled and the
 * If specified in the configset, the DataImportHandler's ScriptTransformer will not initialize.
 * The XSLT transformer (`tr` parameter) cannot be used at request processing time.
 * If specified in the configset, the StatelessScriptUpdateProcessor will not initialize.
-* Collections won't initialize if <lib> directives are used in the configset. (Note: Libraries added to Solr's classpath don't need the <lib> directive)
+* Collections won't initialize if <lib> directives are used in the configset, even if Solr is started with `-Dsolr.lib.directive.allowed=true`. (Note: Libraries added to Solr's classpath don't need the <lib> directive)
 
 If you use any of these parameters or features, you must have enabled security features in your Solr installation and you must upload the configset as an authenticated user.
 
diff --git a/solr/solr-ref-guide/src/libs.adoc b/solr/solr-ref-guide/src/libs.adoc
index 191293b6e5d..97b47457ab6 100644
--- a/solr/solr-ref-guide/src/libs.adoc
+++ b/solr/solr-ref-guide/src/libs.adoc
@@ -45,6 +45,11 @@ Solr plugins won't work in these locations.
 
 == Lib Directives in SolrConfig
 
+[IMPORTANT]
+====
+This functionality is disabled by default. Solr nodes needs to be started with a `-Dsolr.lib.directive.allowed=true`.
+====
+
 _Both_ plugin and <<resource-loading.adoc#,resource>> file paths are configurable via `<lib/>` directives in `solrconfig.xml`.
 When a directive matches a directory, then resources can be resolved from it.
 When a directive matches a `.jar` file, Solr plugins and their dependencies are resolved from it.