FIX: prevents exception when search q params is a hash (#7437)

* FIX: prevents exception when searh q params is a hash * raise when invalid format
2019-04-29 09:09:25 +02:00 · 2019-04-29 09:09:25 +02:00 · fe86941cb6
parent ad44243a57
commit fe86941cb6
2 changed files with 17 additions and 2 deletions
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@ -9,8 +9,18 @@ class SearchController < ApplicationController
  end

  def show
-    @search_term = params[:q]
-    raise Discourse::InvalidParameters.new(:q) if @search_term.present? && @search_term.length < SiteSetting.min_search_term_length
+    @search_term = params.permit(:q)[:q]
+
+    # a q param has been given but it's not in the correct format
+    # eg: ?q[foo]=bar
+    if params[:q].present? && !@search_term.present?
+      raise Discourse::InvalidParameters.new(:q)
+    end
+
+    if @search_term.present? &&
+       @search_term.length < SiteSetting.min_search_term_length
+      raise Discourse::InvalidParameters.new(:q)
+    end

    search_args = {
      type_filter: 'topic',
--- a/spec/requests/search_controller_spec.rb
+++ b/spec/requests/search_controller_spec.rb
@ -137,6 +137,11 @@ describe SearchController do
      expect(response.status).to eq(400)
    end

+    it "raises an error when search term is a hash" do
+      get "/search.json?q[foo]"
+      expect(response.status).to eq(400)
+    end
+
    it "logs the search term" do
      SiteSetting.log_search_queries = true
      get "/search.json", params: { q: 'bantha' }