Hey Walter, Can you set the value for start (0) and rows (your default sensible response row size) as an invariant in the request handler you're using so it can't be overridden from a client request? That's how I've defended against it from Solr's perspective in the past. This can be hard coded in your request handler in the XML of your solr-config or using the parameters API. I've found it simple but effective approach and there's an example here from the docs (https://solr.apache.org/guide/8_8/requesthandlers-and-searchcomponents-in-solrconfig.html#request-handlers).
Thanks, Dwane ________________________________ From: Walter Underwood <wun...@wunderwood.org> Sent: Saturday, 26 June 2021 6:39 AM To: users@solr.apache.org <users@solr.apache.org> Subject: Re: Defense against deep paging? Thanks, that is exactly the info I wanted! I’ve commented there, even though it is closed as Won’t Do. wunder Walter Underwood wun...@wunderwood.org http://observer.wunderwood.org/ (my blog) > On Jun 25, 2021, at 12:46 PM, Mike Drob <md...@mdrob.com> wrote: > > This was discussed somewhat in > https://issues.apache.org/jira/browse/SOLR-15252 with no > implementation provided. > > On Fri, Jun 25, 2021 at 11:52 AM Walter Underwood <wun...@wunderwood.org> > wrote: >> >> I already said that we have a limit in the client code. I’m asking about a >> limit in Solr. >> >> wunder >> Walter Underwood >> wun...@wunderwood.org >> http://observer.wunderwood.org/ (my blog) >> >>> On Jun 25, 2021, at 11:50 AM, Håvard Wahl Kongsgård >>> <haavard.kongsga...@gmail.com> wrote: >>> >>> Just create a proxy client between the user and solr. Set if page >= 500 …. >>> else >>> >>> Simple stuff >>> >>> fre. 25. jun. 2021 kl. 19:20 skrev Walter Underwood <wun...@wunderwood.org>: >>> >>>> Has anyone implemented protection against deep paging inside Solr? I’m >>>> thinking about something like a max_rows parameter, where if start+rows was >>>> greater than that, it would limit the max result to that number. Or maybe >>>> just return a 400, that would be OK too. >>>> >>>> I’ve had three or four outages caused by deep paging over the past dozen >>>> years with Solr. We implement a limit in the client code, then someone >>>> forgets to add it to the redesigned client code. A limit in the request >>>> handler would be so much easier. >>>> >>>> And yes, I know about cursor marks. We don’t want to enable deep paging, >>>> we want to stop it. >>>> >>>> wunder >>>> Walter Underwood >>>> wun...@wunderwood.org >>>> http://observer.wunderwood.org/ (my blog) >>>> >>>> -- >>> Håvard Wahl Kongsgård >>> Data Scientist >>
