Add test for regex sanitisation in item search

ml-evs · ml-evs · commit 3cb7eb15b4c7 · 2025-08-29T01:03:00.000+01:00
diff --git a/pydatalab/src/pydatalab/routes/v0_1/items.py b/pydatalab/src/pydatalab/routes/v0_1/items.py
@@ -1,5 +1,6 @@
 import datetime
 import json
+import re
 
 from bson import ObjectId
 from flask import Blueprint, jsonify, redirect, request
@@ -327,6 +328,8 @@ def search_items():
         pipeline.append({"$match": match_obj})
         pipeline.append({"$sort": {"score": {"$meta": "textScore"}}})
     else:
+        query = re.escape(query)
+        LOGGER.debug("Performing regex search for %s", query)
         match_obj = {
             "$or": [{field: {"$regex": query, "$options": "i"}} for field in ITEMS_FTS_FIELDS]
         }
diff --git a/pydatalab/tests/server/conftest.py b/pydatalab/tests/server/conftest.py
@@ -494,6 +494,7 @@ def example_items(user_id, admin_user_id):
             Sample(
                 **{
                     "item_id": "sample_2",
+                    "chemform": "vanadium (II) oxide",
                     "name": "other_sample",
                     "date": "1970-02-01",
                     "refcode": "grey:TEST3",
@@ -515,7 +516,7 @@ def example_items(user_id, admin_user_id):
                 **{
                     "item_id": "test",
                     "chemform": "NaNiO2",
-                    "name": "NaNiO2",
+                    "name": "NaNiO2-v",
                     "date": "1970-02-01",
                     "description": "magic",
                     "refcode": "grey:TEST5",
diff --git a/pydatalab/tests/server/test_samples.py b/pydatalab/tests/server/test_samples.py
@@ -242,6 +242,24 @@ def test_item_search(client, admin_client, real_mongo_client, example_items):
     assert "test" in item_ids
     assert "sample_admin" in item_ids
 
+    # Search for string with brackets
+    response = admin_client.get("/search-items/?query='vanadium('")
+
+    assert response.status_code == 200
+    assert response.json["status"] == "success"
+    item_ids = {item["item_id"] for item in response.json["items"]}
+    assert len(item_ids) == 1
+    assert "sample_2" in item_ids
+
+    # Search for single char at start of word
+    response = admin_client.get("/search-items/?query='v'")
+
+    assert response.status_code == 200
+    assert response.json["status"] == "success"
+    item_ids = {item["item_id"] for item in response.json["items"]}
+    assert len(item_ids) == 1
+    assert "sample_2" in item_ids
+
 
 @pytest.mark.dependency(depends=["test_delete_sample"])
 def test_new_sample_with_relationships(client, complicated_sample):
