-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Search: Invalid ElasticSearch request on pentester submissions #688
Comments
I wonder if the switch to the new theme is the cause, since we are using the slug here: https://github.com/WordPress/pattern-directory/blob/trunk/public_html/wp-content/themes/wporg-pattern-directory-2024/functions.php#L167-L188 - and a quick look in the previous theme doesn't appear to have the same functionality. |
Actually, I wonder if the taxonomy doesn't exist on the ES side, if it was added? I'll investigate that too. |
It does exist, so it's not this 😄 |
The But the core request could also create a query with a term_id (using That would generate a |
Ah! it's Changing to |
Thanks for the extra details @ryelle - i'll work up the PR to account for that, as well as the potential @dd32 mentioned with multiple terms. |
For curation, it seems like we only allow one variant:
The change in #689 doesn't appear to change the output when querying |
With #689, the
Also, on the PR, I get the One thing that was throwing me off is that |
These return different results on prod, so suspect there is something else afoot - it looks like the search keyword isn't being in the same way - in the
Hmmm, I guess it used to work? |
Yeah, the frontend used to be JS-powered, so it used the API too. Now it's not, so it doesn't used ES at all. |
What's the preference here? Use ES or not, i'm not sure I understand how the site needs to function enough to know. |
Yes, it should still use ES on the frontend too (not just the API). |
Describe the bug
A pentester has hit the wporg-patterns api in such a way that the pattern directory generates an invalid ElasticSearch request. Causing a 400 Bad Request warning.
I can't tell if this is supposed to work, as the code-branch doesn't currently work. I suspect this is just unexpected input to the API endpoint.
For example:
This code:
pattern-directory/public_html/wp-content/plugins/pattern-directory/includes/search.php
Lines 152 to 154 in f7ffec0
resulted in this ES query, and response:
terms
valid input would be an array, and wellcore
is never going to match aterm_id
.. which is what leads me to think that the endpoint is not expecting a query-by-slugs.To Reproduce
Steps to reproduce the behavior:
Expected behavior
Either the API should throw a error immediately if it gets invalid input OR the fields should be validated prior to querying ES.
The text was updated successfully, but these errors were encountered: