Kronuz
Limit query execution time
Thank you for your amazing work with this, it is awesome to use Xapiand! We really want to use Xapiand in our current project, we are, however, concerned about security. Since I couldn't find any information on this in the docs, I figured I would just ask:
- What operators are allowed within text queries? Trying out it seemed to be mainly logic operators, but I didn't really figure out how the queries are parsed and where in the code this happens. We would like to be able to sanitize the queries before letting them touch Xapiand, so we need to know what to look for.
- Is there a way to limit query execution time or is there already a limit? I didn't seem to reach one. We are especially concerned about this because we want to be able to prevent DOS attacks on our search server and limiting execution time would be a good measure to counter that.
Text queries follow a lot of what Xapian itself supports in it's Query Parser (https://getting-started-with-xapian.readthedocs.io/en/latest/concepts/search/queryparser.html) but the boolean tree is parsed by Xapiand instead (src/booleanParser and src/query_dsl.cc). However, instead of parsing queries from text, we recommend using the QueryDSL explained to some extent in https://kronuz.io/Xapiand/docs/reference-guide/search/query-dsl/#query-dsl There's still a lot that can be checked to make sure Xapiand sanitizes all input and is secure, but some work has been done already by the Xapian QueryParser.
Regarding limiting the execution time, it currently doesn't have a limit, but it certainly sounds like a nice feature. we'll have to investigate if there's an efficient way to implement such execution limits.
