Merge branch 'security-prevent-short-searches-in-explore-projects' into 'master'

Require a minimum search length on explore page See merge request gitlab-org/security/gitlab!1064

Merge branch 'security-prevent-short-searches-in-explore-projects' into 'master'
Require a minimum search length on explore page See merge request gitlab-org/security/gitlab!1064
38565352 · GitLab Release Tools Bot · fca4d1a5 · ebe4e696 · 38565352 · 38565352
Commit 38565352 authored Dec 01, 2020 by GitLab Release Tools Bot
6 changed files
--- a/app/controllers/explore/projects_controller.rb
+++ b/app/controllers/explore/projects_controller.rb
@@ -8,6 +8,8 @@ class Explore::ProjectsController < Explore::ApplicationController
  include SortingHelper
  include SortingPreference

+  MIN_SEARCH_LENGTH = 3
+
  before_action :set_non_archived_param
  before_action :set_sorting

@@ -72,7 +74,7 @@ class Explore::ProjectsController < Explore::ApplicationController
  def load_projects
    load_project_counts

-    projects = ProjectsFinder.new(current_user: current_user, params: params).execute
+    projects = ProjectsFinder.new(current_user: current_user, params: params.merge(minimum_search_length: MIN_SEARCH_LENGTH)).execute

    projects = preload_associations(projects)
    projects = projects.page(params[:page]).without_count

--- a/app/finders/projects_finder.rb
+++ b/app/finders/projects_finder.rb
@@ -18,6 +18,7 @@
 #     personal: boolean
 #     search: string
 #     search_namespaces: boolean
+#     minimum_search_length: int
 #     non_archived: boolean
 #     archived: 'only' or boolean
 #     min_access_level: integer
@@ -182,6 +183,9 @@ class ProjectsFinder < UnionFinder

  def by_search(items)
    params[:search] ||= params[:name]
+
+    return items.none if params[:search].present? && params[:minimum_search_length].present? && params[:search].length < params[:minimum_search_length].to_i
+
    items.optionally_search(params[:search], include_namespace: params[:search_namespaces].present?)
  end


--- a/app/views/explore/projects/_projects.html.haml
+++ b/app/views/explore/projects/_projects.html.haml
-= render 'shared/projects/list', projects: projects, user: current_user, explore_page: true, pipeline_status: Feature.enabled?(:dashboard_pipeline_status, default_enabled: true)
+- if params[:name].present? && params[:name].size < Explore::ProjectsController::MIN_SEARCH_LENGTH
+  .nothing-here-block
+    %h5= _('Enter at least three characters to search')
+- else
+  = render 'shared/projects/list', projects: projects, user: current_user, explore_page: true, pipeline_status: Feature.enabled?(:dashboard_pipeline_status, default_enabled: true)
--- a/changelogs/unreleased/security-prevent-short-searches-in-explore-projects.yml
+++ b/changelogs/unreleased/security-prevent-short-searches-in-explore-projects.yml
+---
+title: Require at least 3 characters when searching for project in the Explore page
+merge_request:
+author:
+type: security
--- a/spec/features/explore/user_explores_projects_spec.rb
+++ b/spec/features/explore/user_explores_projects_spec.rb
@@ -47,6 +47,14 @@ RSpec.describe 'User explores projects' do
        end
      end

+      shared_examples 'minimum search length' do
+        it 'shows a prompt to enter a longer search term', :js do
+          fill_in 'name', with: 'z'
+
+          expect(page).to have_content('Enter at least three characters to search')
+        end
+      end
+
      context 'when viewing public projects' do
        before do
          visit(explore_projects_path)
@@ -54,6 +62,7 @@ RSpec.describe 'User explores projects' do

        include_examples 'shows public and internal projects'
        include_examples 'empty search results'
+        include_examples 'minimum search length'
      end

      context 'when viewing most starred projects' do
@@ -63,6 +72,7 @@ RSpec.describe 'User explores projects' do

        include_examples 'shows public and internal projects'
        include_examples 'empty search results'
+        include_examples 'minimum search length'
      end

      context 'when viewing trending projects' do
@@ -76,6 +86,7 @@ RSpec.describe 'User explores projects' do

        include_examples 'shows public projects'
        include_examples 'empty search results'
+        include_examples 'minimum search length'
      end
    end
  end

--- a/spec/finders/projects_finder_spec.rb
+++ b/spec/finders/projects_finder_spec.rb
@@ -161,6 +161,29 @@ RSpec.describe ProjectsFinder, :do_not_mock_admin_mode do
        it { is_expected.to eq([public_project]) }
      end

+      describe 'filter by search with minimum search length' do
+        context 'when search term is shorter than minimum length' do
+          let(:params) { { search: 'C', minimum_search_length: 3 } }
+
+          it { is_expected.to be_empty }
+        end
+
+        context 'when search term is longer than minimum length' do
+          let(:project) { create(:project, :public, group: group, name: 'test_project') }
+          let(:params) { { search: 'test', minimum_search_length: 3 } }
+
+          it { is_expected.to eq([project]) }
+        end
+
+        context 'when minimum length is invalid' do
+          let(:params) { { search: 'C', minimum_search_length: 'x' } }
+
+          it 'ignores the minimum length param' do
+            is_expected.to eq([public_project])
+          end
+        end
+      end
+
      describe 'filter by group name' do
        let(:params) { { name: group.name, search_namespaces: true } }