Move search param guard to format_search_params!

gumclaw · gumclaw · commit 526b03368674 · 2026-04-06T20:23:53.000-04:00
Strip non-Hash search params at the controller level in
format_search_params! instead of guarding in the ES query builder.
This is consistent with how tags, filetypes, and size are already
sanitized in the same method.
diff --git a/app/controllers/concerns/search_products.rb b/app/controllers/concerns/search_products.rb
@@ -33,6 +33,8 @@ def format_search_params!
       if params[:size].is_a?(String)
         params[:size] = params[:size].to_i
       end
+
+      params.delete(:search) unless params[:search].is_a?(Hash)
     end
 
     def offer_codes_search_feature_active?(params)
diff --git a/app/modules/product/searchable.rb b/app/modules/product/searchable.rb
@@ -363,7 +363,7 @@ def search_options(params)
       end
 
       search_options = search_options.to_hash
-      search_options[:query][:bool][:must] << params[:search] if params[:search].is_a?(Hash)
+      search_options[:query][:bool][:must] << params[:search] if params[:search]
 
       if (params[:ids].present? || params[:section].is_a?(SellerProfileSection)) && params[:sort] == ProductSortKey::PAGE_LAYOUT
         product_ids = params[:ids] || params[:section].shown_products
