html search: use a ``Map`` to collect file-term scores

[jayaddison]

Feature or Bugfix

• Bugfix

Purpose

• Prevent carefully-crafted search queries on the frontend from polluting the scoreMap, potentially allowing for undesired result scoring adjustments.

Detail

• As recommended in the OWASP Prototype Pollution Cheat-Sheet, use a JavaScript Map instead of an object literal to record per-file term scoring.
• Use the Map.set method instead of assigning to the properties of the map object.

Relates

• N/A

Edit: add note about using Map.set in preference to object-property assignment.

[jayaddison]

My premise, that this is an exploitable problem, seems to be flawed, which is fortunate.

Even so, I don't think that I approached resolving this in a good way; there is a disclosure path for vulnerabilities in Sphinx, and I should have used that.

I did weigh up a few factors about the possible impact of the problem, and then decided to open a pull request without following the disclosure path, but in hindsight that wasn't really a great idea (despite the fact that I now believe the flaw is a non-concern).

I think I'll probably step back from contributing for a while, perhaps here and elsewhere; this seemed to be a hasty effort, and I'd like to make sure I'm being thorough especially about poentially-important problems like security bugs (I believe I have been thorough in the past, but wasn't with this, so that seems to reflect changes in behaviour).

[AA-Turner]

Even so, I don't think that I approached resolving this in a good way; there is a disclosure path for vulnerabilities in Sphinx, and I should have used that.

I think I'll probably step back from contributing for a while, perhaps here and elsewhere; this seemed to be a hasty effort, and I'd like to make sure I'm being thorough especially about poentially-important problems like security bugs (I believe I have been thorough in the past, but wasn't with this, so that seems to reflect changes in behaviour).

James -- I don't currently have time to review the substantive discussion, but I wanted to quickly write something. Your efforts are immensely appreciated, and I don't want you to take this too hard or etc. Problems in process affect all of us, and so I wouldn't want to loose you from the project (or open source in general!) for a (potential) misstep. Identifying potential problems in the first place is inherently valuable. I sympathise with the feeling of discovering a security problem and wanting to alert people as quickly as possible.

The project can improve here by adding a more advertised SECURITY.rst policy, which I will take as an action. Currently, we use GitHub's Security Advisories.

Please do take all the time you need, but I wanted to write a note to say that I hope you don't overburden yourself with anything and that we keep seeing you around here.

Adam

[jayaddison]

Thanks again - I think I'll take that time away to recharge/recuperate soon.