Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 505737

Summary: Passing in a search term that is unknown to the server causes it to default to a file search
Product: [ECD] Orion Reporter: Michael Rennie <Michael_Rennie>
Component: ServerAssignee: Michael Rennie <Michael_Rennie>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: Silenio_Quarti, steve_northover
Version: 13.0   
Target Milestone: 13.0   
Hardware: PC   
OS: Windows 7   
See Also: https://git.eclipse.org/r/83888
https://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/?id=38555af80db22a36a4bfcde3e5e8cbbf12fdf171
https://git.eclipse.org/r/84602
https://git.eclipse.org/c/orion/org.eclipse.orion.server.git/commit/?id=18c198c163b0c777cfea6c36a8fdd326d88331bc
Whiteboard:
Attachments:
Description Flags
Updated Java server fix (with tests) none

Description Michael Rennie CLA 2016-10-11 14:51:33 EDT 
Related to the changes to bug 505411, in the current state now, where the server changes have not yet been pushed to master, the client code is sending a search term 'Exclude:node_modules', which the server does not know about.

Since it does not know about it, rather than ignore it (knowing there are other search terms) the server simply defaults to a file search setting the search term to be the whole 'Exclude:node_modules'

See the code in SearchServlet#buildSearchOptions ~line 133

options.setSearchTerm(term); //term === 'Exclude:node_modules'
options.setFileSearch(true);
Comment 1 Steve Northover CLA 2016-10-13 13:21:58 EDT 
Is this fixed or did we just temporarily disable the optimization?
Comment 2 Steve Northover CLA 2016-10-17 17:31:36 EDT 
Michael, is this fixed?
Comment 3 Michael Rennie CLA 2016-10-18 10:20:43 EDT 
This is not fixed.

While I found it working on bug 505411, it was not the cause, as any unknown search term sent to the server causes this behavior.
Comment 5 Eclipse Genie CLA 2016-10-25 13:48:40 EDT 
New Gerrit change created: https://git.eclipse.org/r/83888
Comment 6 Michael Rennie CLA 2016-10-25 13:52:40 EDT 
Reopening.

The fix causes an NPE failure in the Java server tests that test an injection attack. The fix for this bug causes the server to ignore the injected HTML (good) but causes side effects when the search would normally try a file file search (what we tried to prevent).

Silenio, what are your thoughts here? Should we ignore the search terms again and update the search code to check for null search terms and no-op?
Comment 8 Michael Rennie CLA 2016-11-03 14:28:42 EDT 
Created attachment 265180 [details]
Updated Java server fix (with tests)

Silenio, can you sanity-check this patch for me?
Comment 9 Eclipse Genie CLA 2016-11-07 12:12:44 EST 
New Gerrit change created: https://git.eclipse.org/r/84602
Comment 11 Michael Rennie CLA 2016-11-17 11:22:03 EST 
The new Java server fix has been applied. I'll push an updated JavaScript server fix to gerrit
Comment 12 Michael Rennie CLA 2016-11-17 12:27:49 EST 
Node server re-fixed in: http://git.eclipse.org/c/orion/org.eclipse.orion.client.git/commit/?id=8c58044077e210c4824f3fe82ebba1fbeb141744

The original change was sufficient to handle the injection case as well.