Deleting collections with special characters doesn't work - Githubissues

typesense / typesense-js

JavaScript / TypeScript client for Typesense

https://typesense.org/docs/api

Apache License 2.0

393 stars 74 forks source link

Deleting collections with special characters doesn't work #194

Open bfritscher opened 6 months ago

bfritscher commented 6 months ago

Description

If I create a collection with a "+" in the name I can no longer interact with it. In Api call which use the collection name in the URL part.

It looks as if there is no escaping happening when building URLs for the typesense API

Does the user of this library need to escape the collection name before using the api and make assumption about the underlaying workings of the api?

Steps to reproduce

Add a collection named "foo+bar" with a a dummy field
Try to delete the collection

Expected Behavior

is urlencoded to make api call work

Actual Behavior

String is used as is and server receives "foo bar"

Metadata

Typesense-js Version: 1.7.2

Reported via https://github.com/bfritscher/typesense-dashboard/issues/44

LewisW commented 2 months ago

Same with # which opens up malicious actors to deleting unauthorised rows when combined with badly designed IDs/validation.

In fact, one could delete an entire collection just by starting the document ID with a hash.