feat: Error on excessive invalid search keys

Emyrk · Emyrk · commit 66a4b98a1f9e · 2023-02-28T17:11:26.000-06:00
diff --git a/coderd/httpapi/queryparams.go b/coderd/httpapi/queryparams.go
@@ -20,16 +20,38 @@ type QueryParamParser struct {
 	// Errors is the set of errors to return via the API. If the length
 	// of this set is 0, there are no errors!.
 	Errors []codersdk.ValidationError
+	// Parsed is a map of all query params that were parsed. This is useful
+	// for checking if extra query params were passed in.
+	Parsed map[string]bool
 }
 
 func NewQueryParamParser() *QueryParamParser {
 	return &QueryParamParser{
 		Errors: []codersdk.ValidationError{},
+		Parsed: map[string]bool{},
 	}
 }
 
+// ErrorExcessParams checks if any query params were passed in that were not
+// parsed. If so, it adds an error to the parser as these values are not valid
+// query parameters.
+func (p *QueryParamParser) ErrorExcessParams(values url.Values) {
+	for k := range values {
+		if _, ok := p.Parsed[k]; !ok {
+			p.Errors = append(p.Errors, codersdk.ValidationError{
+				Field:  k,
+				Detail: fmt.Sprintf("Query param %q is not a valid query param", k),
+			})
+		}
+	}
+}
+
+func (p *QueryParamParser) addParsed(key string) {
+	p.Parsed[key] = true
+}
+
 func (p *QueryParamParser) Int(vals url.Values, def int, queryParam string) int {
-	v, err := parseQueryParam(vals, strconv.Atoi, def, queryParam)
+	v, err := parseQueryParam(p, vals, strconv.Atoi, def, queryParam)
 	if err != nil {
 		p.Errors = append(p.Errors, codersdk.ValidationError{
 			Field:  queryParam,
@@ -40,14 +62,16 @@ func (p *QueryParamParser) Int(vals url.Values, def int, queryParam string) int
 }
 
 func (p *QueryParamParser) UUIDorMe(vals url.Values, def uuid.UUID, me uuid.UUID, queryParam string) uuid.UUID {
-	if vals.Get(queryParam) == "me" {
-		return me
-	}
-	return p.UUID(vals, def, queryParam)
+	return ParseCustom(p, vals, def, queryParam, func(v string) (uuid.UUID, error) {
+		if v == "me" {
+			return me, nil
+		}
+		return uuid.Parse(v)
+	})
 }
 
 func (p *QueryParamParser) UUID(vals url.Values, def uuid.UUID, queryParam string) uuid.UUID {
-	v, err := parseQueryParam(vals, uuid.Parse, def, queryParam)
+	v, err := parseQueryParam(p, vals, uuid.Parse, def, queryParam)
 	if err != nil {
 		p.Errors = append(p.Errors, codersdk.ValidationError{
 			Field:  queryParam,
@@ -58,7 +82,7 @@ func (p *QueryParamParser) UUID(vals url.Values, def uuid.UUID, queryParam strin
 }
 
 func (p *QueryParamParser) UUIDs(vals url.Values, def []uuid.UUID, queryParam string) []uuid.UUID {
-	v, err := parseQueryParam(vals, func(v string) ([]uuid.UUID, error) {
+	v, err := parseQueryParam(p, vals, func(v string) ([]uuid.UUID, error) {
 		var badValues []string
 		strs := strings.Split(v, ",")
 		ids := make([]uuid.UUID, 0, len(strs))
@@ -85,15 +109,15 @@ func (p *QueryParamParser) UUIDs(vals url.Values, def []uuid.UUID, queryParam st
 	return v
 }
 
-func (*QueryParamParser) String(vals url.Values, def string, queryParam string) string {
-	v, _ := parseQueryParam(vals, func(v string) (string, error) {
+func (p *QueryParamParser) String(vals url.Values, def string, queryParam string) string {
+	v, _ := parseQueryParam(p, vals, func(v string) (string, error) {
 		return v, nil
 	}, def, queryParam)
 	return v
 }
 
-func (*QueryParamParser) Strings(vals url.Values, def []string, queryParam string) []string {
-	v, _ := parseQueryParam(vals, func(v string) ([]string, error) {
+func (p *QueryParamParser) Strings(vals url.Values, def []string, queryParam string) []string {
+	v, _ := parseQueryParam(p, vals, func(v string) ([]string, error) {
 		if v == "" {
 			return []string{}, nil
 		}
@@ -105,7 +129,7 @@ func (*QueryParamParser) Strings(vals url.Values, def []string, queryParam strin
 // ParseCustom has to be a function, not a method on QueryParamParser because generics
 // cannot be used on struct methods.
 func ParseCustom[T any](parser *QueryParamParser, vals url.Values, def T, queryParam string, parseFunc func(v string) (T, error)) T {
-	v, err := parseQueryParam(vals, parseFunc, def, queryParam)
+	v, err := parseQueryParam(parser, vals, parseFunc, def, queryParam)
 	if err != nil {
 		parser.Errors = append(parser.Errors, codersdk.ValidationError{
 			Field:  queryParam,
@@ -115,7 +139,8 @@ func ParseCustom[T any](parser *QueryParamParser, vals url.Values, def T, queryP
 	return v
 }
 
-func parseQueryParam[T any](vals url.Values, parse func(v string) (T, error), def T, queryParam string) (T, error) {
+func parseQueryParam[T any](parser *QueryParamParser, vals url.Values, parse func(v string) (T, error), def T, queryParam string) (T, error) {
+	parser.addParsed(queryParam)
 	if !vals.Has(queryParam) || vals.Get(queryParam) == "" {
 		return def, nil
 	}
diff --git a/coderd/searchquery/search.go b/coderd/searchquery/search.go
@@ -0,0 +1,89 @@
+package searchquery
+
+import (
+	"fmt"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/coder/coder/coderd/httpapi"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/coderd/database"
+
+	"github.com/coder/coder/codersdk"
+)
+
+func Workspace(query string, page codersdk.Pagination, agentInactiveDisconnectTimeout time.Duration) (database.GetWorkspacesParams, []codersdk.ValidationError) {
+	filter := database.GetWorkspacesParams{
+		AgentInactiveDisconnectTimeoutSeconds: int64(agentInactiveDisconnectTimeout.Seconds()),
+
+		Offset: int32(page.Offset),
+		Limit:  int32(page.Limit),
+	}
+
+	if query == "" {
+		return filter, nil
+	}
+
+	// Always lowercase for all searches.
+	query = strings.ToLower(query)
+	values, errors := searchTerms(query, func(term string, values url.Values) error {
+		// It is a workspace name, and maybe includes an owner
+		parts := splitQueryParameterByDelimiter(term, '/', false)
+		switch len(parts) {
+		case 1:
+			values.Set("name", parts[0])
+		case 2:
+			values.Set("owner", parts[0])
+			values.Set("name", parts[1])
+		default:
+			return xerrors.Errorf("Query element %q can only contain 1 '/'", term)
+		}
+		return nil
+	})
+	if errors != nil {
+		return filter, errors
+	}
+
+	parser := httpapi.NewQueryParamParser()
+	filter.OwnerUsername = parser.String(values, "", "owner")
+	filter.TemplateName = parser.String(values, "", "template")
+	filter.Name = parser.String(values, "", "name")
+	filter.Status = parser.String(values, "", "status")
+	filter.HasAgent = parser.String(values, "", "has-agent")
+	parser.ErrorExcessParams(values)
+	return filter, parser.Errors
+}
+
+func searchTerms(query string, defaultKey func(term string, values url.Values) error) (url.Values, []codersdk.ValidationError) {
+	searchValues := make(url.Values)
+
+	// Because we do this in 2 passes, we want to maintain quotes on the first
+	// pass. Further splitting occurs on the second pass and quotes will be
+	// dropped.
+	elements := splitQueryParameterByDelimiter(query, ' ', true)
+	for _, element := range elements {
+		parts := splitQueryParameterByDelimiter(element, ':', false)
+		switch len(parts) {
+		case 1:
+			// No key:value pair. Use default behavior.
+			err := defaultKey(element, searchValues)
+			if err != nil {
+				return nil, []codersdk.ValidationError{
+					{Field: "q", Detail: err.Error()},
+				}
+			}
+		case 2:
+			searchValues.Set(strings.ToLower(parts[0]), parts[1])
+		default:
+			return nil, []codersdk.ValidationError{
+				{
+					Field:  "q",
+					Detail: fmt.Sprintf("Query element %q can only contain 1 ':'", element),
+				},
+			}
+		}
+	}
+	return searchValues, nil
+}
diff --git a/coderd/searchquery/split.go b/coderd/searchquery/split.go
@@ -0,0 +1,30 @@
+package searchquery
+
+import "strings"
+
+// splitQueryParameterByDelimiter takes a query string and splits it into the individual elements
+// of the query. Each element is separated by a delimiter. All quoted strings are
+// kept as a single element.
+//
+// Although all our names cannot have spaces, that is a validation error.
+// We should still parse the quoted string as a single value so that validation
+// can properly fail on the space. If we do not, a value of `template:"my name"`
+// will search `template:"my name:name"`, which produces an empty list instead of
+// an error.
+// nolint:revive
+func splitQueryParameterByDelimiter(query string, delimiter rune, maintainQuotes bool) []string {
+	quoted := false
+	parts := strings.FieldsFunc(query, func(r rune) bool {
+		if r == '"' {
+			quoted = !quoted
+		}
+		return !quoted && r == delimiter
+	})
+	if !maintainQuotes {
+		for i, part := range parts {
+			parts[i] = strings.Trim(part, "\"")
+		}
+	}
+
+	return parts
+}
diff --git a/coderd/workspaces.go b/coderd/workspaces.go
@@ -1296,6 +1296,7 @@ func workspaceSearchQuery(query string, page codersdk.Pagination, agentInactiveD
 	return filter, parser.Errors
 }
 
+
 // splitQueryParameterByDelimiter takes a query string and splits it into the individual elements
 // of the query. Each element is separated by a delimiter. All quoted strings are
 // kept as a single element.

Original file line number	Diff line number	Diff line change
`@@ -1296,6 +1296,7 @@ func workspaceSearchQuery(query string, page codersdk.Pagination, agentInactiveD`
`1296`	`1296`	`return filter, parser.Errors`
`1297`	`1297`	`}`
`1298`	`1298`
	`1299`	`+`
`1299`	`1300`	`// splitQueryParameterByDelimiter takes a query string and splits it into the individual elements`
`1300`	`1301`	`// of the query. Each element is separated by a delimiter. All quoted strings are`
`1301`	`1302`	`// kept as a single element.`