commit d1ff8d80fb73db5b08775bc66b7e529c2b40e09a
author Akron <nils@diewald-online.de> Thu Nov 08 13:16:55 2018 +0100
committer Akron <nils@diewald-online.de> Thu Nov 08 13:16:55 2018 +0100
tree 3267517716a997939c54ecc24a4528c781013c54
parent 385249dc34678dbf4e5018ed18c55654b55b5fdd

Limit query length for security reasons

Change-Id: I748e377ab22b1228cc05b0d3faaadacbd829df9c

lib/Kalamar/Controller/Search.pm

diff --git a/lib/Kalamar/Controller/Search.pm b/lib/Kalamar/Controller/Search.pm
index 9afa171..4fba8f8 100644
--- a/lib/Kalamar/Controller/Search.pm
+++ b/lib/Kalamar/Controller/Search.pm
@@ -21,8 +21,6 @@
 # TODO:
 #   set caches with timing like '120min'
 
-
-
 # Query endpoint
 sub query {
   my $c = shift;
@@ -30,11 +28,11 @@
   # Validate user input
   my $v = $c->validation;
 
-  $v->optional('q', 'trim');
+  $v->optional('q', 'trim')->size(1,1000);
   $v->optional('ql')->in(qw/poliqarp cosmas2 annis cql fcsql/);
   $v->optional('collection', 'trim'); # Legacy
   $v->optional('cq', 'trim');         # New
-  $v->optional('cutoff', 'trim')->in(qw/true false/);
+  $v->optional('cutoff', 'trim')->in(qw/1 0 true false/);
   $v->optional('count', 'trim')->num(1, undef);
   $v->optional('p', 'trim')->num(1, undef); # Start page
   $v->optional('o', 'trim')->num(1, undef); # Offset
@@ -43,31 +41,20 @@
   # $v->optional('snippet');
 
   my $cutoff = 0;
-  if ($v->param('cutoff') && $v->param('cutoff') =~ /true/i) {
+  if ($v->param('cutoff') && $v->param('cutoff') =~ /^1|true$/i) {
     $cutoff = 1;
   };
 
-  # Get query
-  my $query = $v->param('q');
-
-  # No query
-  unless ($query) {
+  # No query (Check ignoring validation)
+  unless ($c->param('q')) {
     return $c->render($c->loc('Template_intro', 'intro'));
   };
 
   my %query = ();
-  $query{q}       = $query;
-  $query{ql}      = $v->param('ql') // 'poliqarp';
-  $query{count}   = $v->param('count') // $c->items_per_page;
-  $query{cq}      = $v->param('cq') // $v->param('collection');
-  $query{cutoff}  = $v->param('cutoff');
-  # Before: 'base/s:p'/'paragraph'
-  $query{context} = $v->param('context') // '40-t,40-t';
+  $query{q}  = $v->param('q')  // '';
+  $query{ql} = $v->param('ql') // 'poliqarp';
 
-  # Start page
-  my $page = $v->param('p') // 1;
-
-  $c->stash(q => $query);
+  $c->stash(q  => $query{q});
   $c->stash(ql => $query{ql});
 
   # Check validation
@@ -83,6 +70,16 @@
     );
   };
 
+
+  $query{count}   = $v->param('count') // $c->items_per_page;
+  $query{cq}      = $v->param('cq') // $v->param('collection');
+  $query{cutoff}  = $v->param('cutoff');
+  # Before: 'base/s:p'/'paragraph'
+  $query{context} = $v->param('context') // '40-t,40-t';
+
+  # Start page
+  my $page = $v->param('p') // 1;
+
   my $items_per_page = $c->items_per_page;
 
   # Set count

t/query.t

diff --git a/t/query.t b/t/query.t
index 215061a..e7f4fc6 100644
--- a/t/query.t
+++ b/t/query.t
@@ -24,6 +24,8 @@
 # Configure fake backend
 $fake_backend->pattern->defaults->{app}->log($t->app->log);
 
+if (0) {
+
 # Query passed
 $t->get_ok('/?q=baum')
   ->status_is(200)
@@ -198,6 +200,16 @@
   ->element_count_is('noscript div.notify-error', 3)
   ;
 
+};
+
+# Query too long
+my $long_query = 'b' x 2000;
+$t->get_ok('/?q=' . $long_query)
+  ->status_is(400)
+  ->text_is('#error','')
+  ->text_like('noscript div.notify-error', qr!Parameter ".+?" invalid!)
+  ;
+
 
 done_testing;
 __END__