From 45af18ae9c89876647c5c36ce79cc37d76f423eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Renault?= Date: Thu, 9 May 2024 21:51:51 +0200 Subject: [PATCH] Check the Rhai syntax before accepting the script --- meilisearch/src/routes/indexes/documents.rs | 5 +++++ milli/src/lib.rs | 2 +- milli/src/update/index_documents/mod.rs | 8 +++++--- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/meilisearch/src/routes/indexes/documents.rs b/meilisearch/src/routes/indexes/documents.rs index 83c75ca4d..98a526eb8 100644 --- a/meilisearch/src/routes/indexes/documents.rs +++ b/meilisearch/src/routes/indexes/documents.rs @@ -599,6 +599,11 @@ pub async fn edit_documents_by_function( // analytics.delete_documents(DocumentDeletionKind::PerFilter, &req); + let engine = milli::rhai::Engine::new(); + if let Err(e) = engine.compile(&function) { + return Err(ResponseError::from_msg(e.to_string(), Code::BadRequest)); + } + if let Some(ref filter) = filter { // we ensure the filter is well formed before enqueuing it || -> Result<_, ResponseError> { diff --git a/milli/src/lib.rs b/milli/src/lib.rs index 581ffc73c..fcb0da19c 100644 --- a/milli/src/lib.rs +++ b/milli/src/lib.rs @@ -45,7 +45,7 @@ pub use search::new::{ }; use serde_json::Value; pub use thread_pool_no_abort::{PanicCatched, ThreadPoolNoAbort, ThreadPoolNoAbortBuilder}; -pub use {charabia as tokenizer, heed}; +pub use {charabia as tokenizer, heed, rhai}; pub use self::asc_desc::{AscDesc, AscDescError, Member, SortError}; pub use self::criterion::{default_criteria, Criterion, CriterionError}; diff --git a/milli/src/update/index_documents/mod.rs b/milli/src/update/index_documents/mod.rs index b29321c3c..6c1139f58 100644 --- a/milli/src/update/index_documents/mod.rs +++ b/milli/src/update/index_documents/mod.rs @@ -16,7 +16,7 @@ use grenad::{Merger, MergerBuilder}; use heed::types::Str; use heed::Database; use rand::SeedableRng; -use rhai::{Engine, Scope}; +use rhai::{Dynamic, Engine, Scope}; use roaring::RoaringBitmap; use serde::{Deserialize, Serialize}; use slice_group_by::GroupBy; @@ -239,11 +239,13 @@ where let mut scope = Scope::new(); scope.push("doc", document); - let new_document = engine.eval_ast_with_scope::(&mut scope, &ast).unwrap(); + let _ = engine.eval_ast_with_scope::(&mut scope, &ast).unwrap(); + let new_document = scope.remove("doc").unwrap(); let new_document = rhaimap_to_object(new_document); assert_eq!( - document_id, new_document[primary_key], + Some(&document_id), + new_document.get(primary_key), "you cannot change the document id when editing documents" ); documents_batch_builder.append_json_object(&new_document)?;