[Search] Fulltext search of pages might lead to DDOS

adobe / aem-core-wcm-components

Standardized components to build websites with AEM.

https://docs.adobe.com/content/help/en/experience-manager-core-components/using/introduction.html

Apache License 2.0

733 stars 741 forks source link

[Search] Fulltext search of pages might lead to DDOS #70

Closed peterps-health closed 6 years ago

peterps-health commented 6 years ago

https://github.com/Adobe-Marketing-Cloud/aem-core-wcm-components/blob/f890bb4718d3ae2c802cabe8f1d4dcd337643a80/bundles/core/src/main/java/com/adobe/cq/wcm/core/components/sandbox/internal/models/v1/SearchImpl.java#L176

Either provide an indexed search or put some rate limit.

richardhand commented 6 years ago

@peterps-health - thanks for reporting, we have this tracked and will look into a solution.

gabrielwalt commented 6 years ago

We'll start to look into that (CQ-4246601 and CQ-4221475).

jckautzmann commented 6 years ago

Please note that the Search Component relies on a Lucene page index which is available out-of-the-box in AEM at /oak:index/cqPageLucene. Protecting the Search Component or any AEM based application against DOS attacks should be implemented at a higher level, for example by using mod_security on the dispatcher.