typesense-js icon indicating copy to clipboard operation
typesense-js copied to clipboard
verified publisher icon typesense

Deleting collections with special characters doesn't work

Open bfritscher opened this issue 1 year ago • 1 comments

Description

If I create a collection with a "+" in the name I can no longer interact with it. In Api call which use the collection name in the URL part.

It looks as if there is no escaping happening when building URLs for the typesense API

Does the user of this library need to escape the collection name before using the api and make assumption about the underlaying workings of the api?

Steps to reproduce

  • Add a collection named "foo+bar" with a a dummy field
  • Try to delete the collection

Expected Behavior

  • is urlencoded to make api call work

Actual Behavior

String is used as is and server receives "foo bar"

Metadata

Typesense-js Version: 1.7.2

Reported via https://github.com/bfritscher/typesense-dashboard/issues/44

bfritscher avatar Feb 12 '24 13:02 bfritscher

Same with # which opens up malicious actors to deleting unauthorised rows when combined with badly designed IDs/validation.

In fact, one could delete an entire collection just by starting the document ID with a hash.

LewisW avatar Jun 10 '24 13:06 LewisW

Resolved in latest versions

jasonbosco avatar Feb 05 '25 14:02 jasonbosco