IBM Support

JR57039: REST search handlers allow excessive search terms to be searched

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Depending on the data stored in your catalog, it may make sense
for a person to be searching with up to 10 (or more) search
terms. However, in most cases, it is likely either excessive or
malicious to be searching for many more search terms.

Since the storefront is responsible for creating the search REST
 request, if the storefront allows an unlimited (or very high)
number of search terms to be used for the search, a potentially
heavy search query can be executed against the search server.
Similar issue can occur if Search REST requests are allowed to
be performed directly against the Search server (from any
source).

Local fix

  • 



Problem summary


    

  • USERS AFFECTED:
WebSphere Commerce Version 7 and Version 8.

PROBLEM ABSTRACT:
REST search handlers allow excessive search terms to be searched

BUSINESS IMPACT:
Site could become non-responsive when the system load has
reached a certain level while processing these long search
requests

RECOMMENDATION:

    



Problem conclusion


    

  • Two configurations have been added on the Search server's
com.ibm.commerce.catalog/wc-component.xml to provide a bounded
condition check on the length of the search phrase as well as
the maximum number of allowed search terms:

MaximumNumberOfSearchTerms - Defines the maximum number of
tokens will be used as a search phrase.  Any extra tokens beyond
 the given bounded limit will be discarded in order to prevent
overloading the system.  Default value is 20.

MaximumLengthOfSearchPhrase - Defines the maximum length of
search phrase.  Any extra characters beyond the given bounded
limit will be discarded in order to prevent overloading
the	system.  Default value is 100.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR57039
    • 

  • Reported component name
    WC BUS EDITION
    • 

  • Reported component ID
    5724I3800
    • 

  • Reported release
    700
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    YesSpecatt / New Function / Pervasive / 
    • 

  •  
     Xsystem
    • 

  • Submitted date
    2016-11-21
    • 

  • Closed date
    2017-01-10
    • 

  • Last modified date
    2017-01-10
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WC BUS EDITION
    • 

  • Fixed component ID
    5724I3800
    • 



Applicable component levels


    

  • R700  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYSYL","label":"WebSphere Commerce Enterprise"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB31","label":"WCE Watson Marketing and Commerce"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            11 December 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback