searchengines-web/MeiliSearch
searchengines-web/MeiliSearch
1
0
Fork 0
mirror of https://github.com/meilisearch/MeiliSearch synced 2025-07-04 20:37:15 +02:00
Code Issues Releases Wiki Activity

Validate documents ids before accepting them

Browse source
This commit is contained in:
Clément Renault 2020-11-01 16:43:12 +01:00 committed by Kerollmops
parent 0ccf4cf785
commit 3abfe8aa22
No known key found for this signature in database
GPG key ID: 92ADA4E935E71FA4
2 changed files with 60 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

25
src/update/index_documents/transform.rs
View file

@ -172,6 +172,12 @@ impl Transform<'_, '_> {
writer.insert(field_id, &json_buffer)?;
}
else if field_id == primary_key {
// We validate the document id [a-zA-Z0-9\-_].
let user_id = match validate_document_id(&user_id) {
Some(valid) => valid,
None => return Err(anyhow!("invalid document id: {:?}", user_id)),
};
// We serialize the document id.
serde_json::to_writer(&mut json_buffer, &user_id)?;
writer.insert(field_id, &json_buffer)?;
@ -256,9 +262,15 @@ impl Transform<'_, '_> {
let mut writer = obkv::KvWriter::new(&mut obkv_buffer);
// We extract the user id if we know where it is or generate an UUID V4 otherwise.
// TODO we must validate the user id (i.e. [a-zA-Z0-9\-_]).
let user_id = match user_id_pos {
Some(pos) => &record[pos],
Some(pos) => {
let user_id = &record[pos];
// We validate the document id [a-zA-Z0-9\-_].
match validate_document_id(&user_id) {
Some(valid) => valid,
None => return Err(anyhow!("invalid document id: {:?}", user_id)),
}
},
None => uuid::Uuid::new_v4().to_hyphenated().encode_lower(&mut uuid_buffer),
};
@ -411,3 +423,12 @@ fn merge_obkvs(_key: &[u8], obkvs: &[Cow<[u8]>]) -> anyhow::Result<Vec<u8>> {
buffer
}))
}
fn validate_document_id(document_id: &str) -> Option<&str> {
let document_id = document_id.trim();
Some(document_id).filter(|id| {
!id.is_empty() && id.chars().all(|c| {
matches!(c, 'a'..='z' | 'A'..='Z' | '0'..='9' | '-' | '_')
})
})
}