User/Project command palette search are sending incorrect scope
Summary
We've seen an increase in abusive searches being reported 90%+ are coming from autocomplete
endpoint.
Command palette search for user and project are injecting scope
parameter into the autocomplete call.
The scope
being passed are not plural (user
and project
) which is interpreted as an abusive search and no results are returned.
Steps to reproduce
- open gitlab
- open developer tools, network tab
- open command palette
- search for a user, results are returned, 2 calls are made to backend
- search for a user by using the
@
prefix- results are returned
- search for a project by using the
:
prefix- results are returned
What is the current bug behavior?
There are multiple bugs here:
backend The scope is incorrect, detected as abusive, and still returns results frontend The scope being sent is incorrect and needs to be pluralized
What is the expected correct behavior?
backend should not return results if the search is abusive frontend should send correct scopes
Relevant logs and/or screenshots
Possible fixes
For frontend, the scopes defined in constant SEARCH_SCOPE
need to be pluralized in app/assets/javascripts/super_sidebar/components/global_search/command_palette/constants.js
For backend, the autocomplete is called from the SearchController
into the search_autocomplete_opts
method in SearchHelper
. If the search is not allowed, empty results should be returned.