From 3987d17e408af6950ee038291c2e14f80e6a5076 Mon Sep 17 00:00:00 2001 From: mpostma Date: Wed, 24 Feb 2021 11:00:15 +0100 Subject: [PATCH 1/2] add indx uid format guard on create ops --- meilisearch-http/src/data/mod.rs | 9 +++++++++ meilisearch-http/src/data/updates.rs | 13 ++++++++++--- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/meilisearch-http/src/data/mod.rs b/meilisearch-http/src/data/mod.rs index ed5ce4952..fee29561a 100644 --- a/meilisearch-http/src/data/mod.rs +++ b/meilisearch-http/src/data/mod.rs @@ -8,6 +8,7 @@ use std::ops::Deref; use std::sync::Arc; use sha2::Digest; +use anyhow::bail; use crate::index_controller::{IndexController, LocalIndexController, IndexMetadata, Settings, IndexSettings}; use crate::option::Opt; @@ -126,6 +127,9 @@ impl Data { } pub fn create_index(&self, name: impl AsRef, primary_key: Option>) -> anyhow::Result { + if !is_index_uid_valid(name.as_ref()) { + bail!("invalid index uid: {:?}", name.as_ref()) + } let settings = IndexSettings { name: Some(name.as_ref().to_string()), primary_key: primary_key.map(|s| s.as_ref().to_string()), @@ -145,3 +149,8 @@ impl Data { &self.api_keys } } + +fn is_index_uid_valid(uid: &str) -> bool { + uid.chars().all(|x| x.is_ascii_alphanumeric() || x == '-' || x == '_') +} + diff --git a/meilisearch-http/src/data/updates.rs b/meilisearch-http/src/data/updates.rs index fbb9be801..a784dce99 100644 --- a/meilisearch-http/src/data/updates.rs +++ b/meilisearch-http/src/data/updates.rs @@ -1,13 +1,13 @@ use std::ops::Deref; +use anyhow::bail; use async_compression::tokio_02::write::GzipEncoder; use futures_util::stream::StreamExt; use milli::update::{IndexDocumentsMethod, UpdateFormat}; use tokio::io::AsyncWriteExt; -use crate::index_controller::UpdateStatus; -use crate::index_controller::{IndexController, Settings, IndexSettings, IndexMetadata}; -use super::Data; +use super::{Data, is_index_uid_valid}; +use crate::index_controller::{UpdateStatus, IndexController, Settings, IndexSettings, IndexMetadata}; impl Data { pub async fn add_documents( @@ -22,6 +22,10 @@ impl Data { B: Deref, E: std::error::Error + Send + Sync + 'static, { + if !is_index_uid_valid(index.as_ref()) { + bail!("invalid index uid: {:?}", index.as_ref()) + } + let file = tokio::task::spawn_blocking(tempfile::tempfile).await?; let file = tokio::fs::File::from_std(file?); let mut encoder = GzipEncoder::new(file); @@ -57,6 +61,9 @@ impl Data { index: impl AsRef + Send + Sync + 'static, settings: Settings ) -> anyhow::Result { + if !is_index_uid_valid(index.as_ref()) { + bail!("invalid index uid: {:?}", index.as_ref()) + } let index_controller = self.index_controller.clone(); let update = tokio::task::spawn_blocking(move || index_controller.update_settings(index, settings)).await??; Ok(update.into()) From 561f29042c3d7c3b54211573462f209a02f524e7 Mon Sep 17 00:00:00 2001 From: mpostma Date: Wed, 24 Feb 2021 11:15:48 +0100 Subject: [PATCH 2/2] add tests --- Cargo.lock | 7 +++++++ meilisearch-http/Cargo.toml | 1 + meilisearch-http/tests/common/server.rs | 7 ++++--- .../tests/documents/add_documents.rs | 16 ++++++++++++++++ meilisearch-http/tests/index/create_index.rs | 4 +--- meilisearch-http/tests/settings/get_settings.rs | 9 +++++++++ 6 files changed, 38 insertions(+), 6 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 17575cd48..e1b3b0762 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1677,6 +1677,7 @@ dependencies = [ "tempdir", "tempfile", "tokio", + "urlencoding", "uuid", "vergen", ] @@ -3298,6 +3299,12 @@ dependencies = [ "serde", ] +[[package]] +name = "urlencoding" +version = "1.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c9232eb53352b4442e40d7900465dfc534e8cb2dc8f18656fcb2ac16112b5593" + [[package]] name = "utf8-width" version = "0.1.4" diff --git a/meilisearch-http/Cargo.toml b/meilisearch-http/Cargo.toml index b760a3d27..2fe9d92d7 100644 --- a/meilisearch-http/Cargo.toml +++ b/meilisearch-http/Cargo.toml @@ -71,6 +71,7 @@ serde_url_params = "0.2.0" tempdir = "0.3.7" assert-json-diff = { branch = "master", git = "https://github.com/qdequele/assert-json-diff" } tokio = { version = "0.2", features = ["macros", "time"] } +urlencoding = "1.1.1" [features] default = ["sentry"] diff --git a/meilisearch-http/tests/common/server.rs b/meilisearch-http/tests/common/server.rs index d7d76445c..943284736 100644 --- a/meilisearch-http/tests/common/server.rs +++ b/meilisearch-http/tests/common/server.rs @@ -1,7 +1,8 @@ -use tempdir::TempDir; +use actix_web::http::StatusCode; use byte_unit::{Byte, ByteUnit}; use serde_json::Value; -use actix_web::http::StatusCode; +use tempdir::TempDir; +use urlencoding::encode; use meilisearch_http::data::Data; use meilisearch_http::option::{Opt, IndexerOpts}; @@ -60,7 +61,7 @@ impl Server { /// Returns a view to an index. There is no guarantee that the index exists. pub fn index<'a>(&'a self, uid: impl AsRef) -> Index<'a> { Index { - uid: uid.as_ref().to_string(), + uid: encode(uid.as_ref()), service: &self.service, } } diff --git a/meilisearch-http/tests/documents/add_documents.rs b/meilisearch-http/tests/documents/add_documents.rs index 70d6aab68..63724af18 100644 --- a/meilisearch-http/tests/documents/add_documents.rs +++ b/meilisearch-http/tests/documents/add_documents.rs @@ -45,6 +45,22 @@ async fn add_documents_no_index_creation() { assert_eq!(response["primaryKey"], "id"); } +#[actix_rt::test] +async fn document_add_create_index_bad_uid() { + let server = Server::new().await; + let index = server.index("883 fj!"); + let (_response, code) = index.add_documents(json!([]), None).await; + assert_eq!(code, 400); +} + +#[actix_rt::test] +async fn document_update_create_index_bad_uid() { + let server = Server::new().await; + let index = server.index("883 fj!"); + let (_response, code) = index.update_documents(json!([]), None).await; + assert_eq!(code, 400); +} + #[actix_rt::test] async fn document_addition_with_primary_key() { let server = Server::new().await; diff --git a/meilisearch-http/tests/index/create_index.rs b/meilisearch-http/tests/index/create_index.rs index 3ff452c33..c26941b91 100644 --- a/meilisearch-http/tests/index/create_index.rs +++ b/meilisearch-http/tests/index/create_index.rs @@ -47,12 +47,10 @@ async fn create_existing_index() { assert_eq!(code, 400); } -// test fails (issue #46) #[actix_rt::test] -#[ignore] async fn create_with_invalid_index_uid() { let server = Server::new().await; - let index = server.index("test test"); + let index = server.index("test test#!"); let (_, code) = index.create(None).await; assert_eq!(code, 400); } diff --git a/meilisearch-http/tests/settings/get_settings.rs b/meilisearch-http/tests/settings/get_settings.rs index bae044acb..0e4d991da 100644 --- a/meilisearch-http/tests/settings/get_settings.rs +++ b/meilisearch-http/tests/settings/get_settings.rs @@ -90,6 +90,15 @@ async fn update_setting_unexisting_index() { assert_eq!(code, 200); } +#[actix_rt::test] +async fn update_setting_unexisting_index_invalid_uid() { + let server = Server::new().await; + let index = server.index("test##! "); + let (_response, code) = index.update_settings(json!({})).await; + println!("response: {}", _response); + assert_eq!(code, 400); +} + macro_rules! test_setting_routes { ($($setting:ident), *) => { $(