Conduit: Validate "attachments" keys for correctness

@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge

phorge phabricator

fork atom

Summary:
`PhabricatorApplicationSearchEngine::buildConduitResponse()` already does some validation for passed `constraints`.
It should do the same for passed `attachments`.

Closes T16525

Test Plan:
* Look at http://phorge.localhost/conduit/method/maniphest.search/#attachments and understand which attachment keys are valid for this endpoint.
* In the `attachments` field, enter nonsense like `{"subscribers":["foo","bar"],"invalidkey":["foo"]}` or `{"foo":"bar"}`, and press "Call Method"
* Get an error message after applying this patch
* In the `attachments` field, enter half-nonsense (at least valid keys) like `{"subscribers":["foo","bar"],"projects":[""]}`, and press "Call Method"
* Get results and no error, as before (as this patch only introduces validation of keys but not of values)

Reviewers: O1 Blessed Committers, valerio.bozzolan

Reviewed By: O1 Blessed Committers, valerio.bozzolan

Subscribers: tobiaswiese, valerio.bozzolan, Matthew, Cigaryno

Maniphest Tasks: T16525

Differential Revision: https://we.phorge.it/D26796

Andre Klapper 1 month ago c39bb3e1 187ed0e9

1 changed file

expand all

src

applications

engine

PhabricatorApplicationSearchEngine.php

src/applications/search/engine/PhabricatorApplicationSearchEngine.php

··· 1302 1302 'Parameter "attachments" must be a map of attachments, got "%s".', 1303 1303 phutil_describe_type($attachment_specs))); 1304 1304 } 1305 + foreach ($attachment_specs as $key => $attachment) { 1306 + if (empty($attachments[$key])) { 1307 + throw new Exception( 1308 + pht( 1309 + 'Attachment key "%s" is not a valid attachment for this query.', 1310 + $key)); 1311 + } 1312 + } 1305 1313 1306 1314 $attachments = array_select_keys( 1307 1315 $attachments,