From 1b6a82b7994e436d145b0e2282af07314fe54308 Mon Sep 17 00:00:00 2001
From: Taylor Chaparro <33099255+notchairmk@users.noreply.github.com>
Date: Thu, 12 Sep 2024 06:40:20 -0700
Subject: [PATCH] Fix invalid date searches returning 503 (#31526)

---
 app/lib/search_query_transformer.rb       | 17 +++++--
 lib/exceptions.rb                         |  1 +
 spec/lib/search_query_transformer_spec.rb | 57 +++++++++++++++++++++--
 3 files changed, 69 insertions(+), 6 deletions(-)

diff --git a/app/lib/search_query_transformer.rb b/app/lib/search_query_transformer.rb
index 606819ed404..1306ed12eda 100644
--- a/app/lib/search_query_transformer.rb
+++ b/app/lib/search_query_transformer.rb
@@ -168,15 +168,15 @@ class SearchQueryTransformer < Parslet::Transform
       when 'before'
         @filter = :created_at
         @type = :range
-        @term = { lt: term, time_zone: @options[:current_account]&.user_time_zone.presence || 'UTC' }
+        @term = { lt: TermValidator.validate_date!(term), time_zone: @options[:current_account]&.user_time_zone.presence || 'UTC' }
       when 'after'
         @filter = :created_at
         @type = :range
-        @term = { gt: term, time_zone: @options[:current_account]&.user_time_zone.presence || 'UTC' }
+        @term = { gt: TermValidator.validate_date!(term), time_zone: @options[:current_account]&.user_time_zone.presence || 'UTC' }
       when 'during'
         @filter = :created_at
         @type = :range
-        @term = { gte: term, lte: term, time_zone: @options[:current_account]&.user_time_zone.presence || 'UTC' }
+        @term = { gte: TermValidator.validate_date!(term), lte: TermValidator.validate_date!(term), time_zone: @options[:current_account]&.user_time_zone.presence || 'UTC' }
       when 'in'
         @operator = :flag
         @term = term
@@ -224,6 +224,17 @@ class SearchQueryTransformer < Parslet::Transform
     end
   end
 
+  class TermValidator
+    STRICT_DATE_REGEX = /\A\d{4}-\d{2}-\d{2}\z/ # yyyy-MM-dd
+    EPOCH_MILLIS_REGEX = /\A\d{1,19}\z/
+
+    def self.validate_date!(value)
+      return value if value.match?(STRICT_DATE_REGEX) || value.match?(EPOCH_MILLIS_REGEX)
+
+      raise Mastodon::FilterValidationError, "Invalid date #{value}"
+    end
+  end
+
   rule(clause: subtree(:clause)) do
     prefix   = clause[:prefix][:term].to_s.downcase if clause[:prefix]
     operator = clause[:operator]&.to_s
diff --git a/lib/exceptions.rb b/lib/exceptions.rb
index d3b92f4a093..c2ff162a6e0 100644
--- a/lib/exceptions.rb
+++ b/lib/exceptions.rb
@@ -8,6 +8,7 @@ module Mastodon
   class LengthValidationError < ValidationError; end
   class DimensionsValidationError < ValidationError; end
   class StreamValidationError < ValidationError; end
+  class FilterValidationError < ValidationError; end
   class RaceConditionError < Error; end
   class RateLimitExceededError < Error; end
   class SyntaxError < Error; end
diff --git a/spec/lib/search_query_transformer_spec.rb b/spec/lib/search_query_transformer_spec.rb
index 00220f84fd2..9399f3503d0 100644
--- a/spec/lib/search_query_transformer_spec.rb
+++ b/spec/lib/search_query_transformer_spec.rb
@@ -8,6 +8,37 @@ RSpec.describe SearchQueryTransformer do
   let(:account) { Fabricate(:account) }
   let(:parser) { SearchQueryParser.new.parse(query) }
 
+  shared_examples 'date operator' do |operator|
+    let(:statement_operations) { [] }
+
+    [
+      ['2022-01-01', '2022-01-01'],
+      ['"2022-01-01"', '2022-01-01'],
+      ['12345678', '12345678'],
+      ['"12345678"', '12345678'],
+    ].each do |value, parsed|
+      context "with #{operator}:#{value}" do
+        let(:query) { "#{operator}:#{value}" }
+
+        it 'transforms clauses' do
+          ops = statement_operations.index_with { |_op| parsed }
+
+          expect(subject.send(:must_clauses)).to be_empty
+          expect(subject.send(:must_not_clauses)).to be_empty
+          expect(subject.send(:filter_clauses).map(&:term)).to contain_exactly(**ops, time_zone: 'UTC')
+        end
+      end
+    end
+
+    context "with #{operator}:\"abc\"" do
+      let(:query) { "#{operator}:\"abc\"" }
+
+      it 'raises an exception' do
+        expect { subject }.to raise_error(Mastodon::FilterValidationError, 'Invalid date abc')
+      end
+    end
+  end
+
   context 'with "hello world"' do
     let(:query) { 'hello world' }
 
@@ -68,13 +99,33 @@ RSpec.describe SearchQueryTransformer do
     end
   end
 
-  context 'with \'before:"2022-01-01 23:00"\'' do
-    let(:query) { 'before:"2022-01-01 23:00"' }
+  context 'with \'is:"foo bar"\'' do
+    let(:query) { 'is:"foo bar"' }
 
     it 'transforms clauses' do
       expect(subject.send(:must_clauses)).to be_empty
       expect(subject.send(:must_not_clauses)).to be_empty
-      expect(subject.send(:filter_clauses).map(&:term)).to contain_exactly(lt: '2022-01-01 23:00', time_zone: 'UTC')
+      expect(subject.send(:filter_clauses).map(&:term)).to contain_exactly('foo bar')
+    end
+  end
+
+  context 'with date operators' do
+    context 'with "before"' do
+      it_behaves_like 'date operator', 'before' do
+        let(:statement_operations) { [:lt] }
+      end
+    end
+
+    context 'with "after"' do
+      it_behaves_like 'date operator', 'after' do
+        let(:statement_operations) { [:gt] }
+      end
+    end
+
+    context 'with "during"' do
+      it_behaves_like 'date operator', 'during' do
+        let(:statement_operations) { [:gte, :lte] }
+      end
     end
   end
 end