feat: add MAX_SEARCH_QUERY_LENGTH for autocomplete API calls (#6222)

* feat: add MAX_SEARCH_QUERY_LENGTH for autocomplete API calls

---------

Co-authored-by: Vincent <[email protected]>

Author: rhelmer

src/app/api/v1/location-autocomplete/getRelevantLocations.test.ts

@@ -2,10 +2,48 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-import { getRelevantLocations } from "./getRelevantLocations";
+import { logger } from "../../../functions/server/logging";
+import {
+  getRelevantLocations,
+  MAX_SEARCH_QUERY_LENGTH,
+} from "./getRelevantLocations";
 import { RelevantLocation } from "./types";
 
 describe("getRelevantLocations", () => {
+  let loggerWarnSpy: jest.SpiedFunction<typeof logger.warn>;
+  beforeAll(async () => {
+    loggerWarnSpy = jest.spyOn(logger, "warn");
+  });
+  afterAll(async () => {
+    loggerWarnSpy.mockRestore();
+  });
+  beforeEach(async () => {
+    loggerWarnSpy.mockImplementation((..._args: unknown[]) => logger);
+  });
+  afterEach(async () => {
+    loggerWarnSpy.mockClear();
+  });
+
+  it("returns an empty list if the search term is not a string", () => {
+    // Arrange:
+    const availableLocations: RelevantLocation[] = [
+      {
+        id: "42",
+        n: "Tulsa",
+        s: "OK",
+      },
+    ];
+
+    // Act:
+    const results = getRelevantLocations(
+      null as unknown as string,
+      availableLocations,
+    );
+
+    // Assert:
+    expect(results).toStrictEqual([]);
+  });
+
   it("filters out locations that don't match the search term", () => {
     // Arrange:
     const availableLocations: RelevantLocation[] = [
@@ -48,6 +86,50 @@ describe("getRelevantLocations", () => {
 
     // Assert:
     expect(results).toStrictEqual([]);
+
+    expect(loggerWarnSpy.mock.calls).toEqual([
+      [
+        "location autocomplete query over max length",
+        { length: 0, maxLength: 128 },
+      ],
+    ]);
+  });
+
+  it("returns an empty list if fuzzy search cannot find matches", () => {
+    // Arrange:
+    const availableLocations: RelevantLocation[] = [
+      {
+        id: "42",
+        n: "Tulsa",
+        s: "OK",
+      },
+    ];
+
+    // Act:
+    const results = getRelevantLocations("😺", availableLocations);
+
+    // Assert:
+    expect(results).toStrictEqual([]);
+  });
+
+  it("ignores search terms that exceed the maximum supported length", () => {
+    // Arrange:
+    const availableLocations: RelevantLocation[] = [
+      {
+        id: "42",
+        n: "Tulsa",
+        s: "OK",
+      },
+    ];
+
+    // Act:
+    const results = getRelevantLocations(
+      "a".repeat(MAX_SEARCH_QUERY_LENGTH + 1),
+      availableLocations,
+    );
+
+    // Assert:
+    expect(results).toStrictEqual([]);
   });
 
   it("sorts the 75% most relevant results by location", () => {

src/app/api/v1/location-autocomplete/getRelevantLocations.ts

@@ -4,11 +4,32 @@
 
 import uFuzzy from "@leeoniya/ufuzzy";
 import { RelevantLocation } from "./types";
+import { logger } from "../../../functions/server/logging";
+
+// Guard against pathological inputs that would make ufuzzy's regex generation hang.
+export const MAX_SEARCH_QUERY_LENGTH = 128;
 
 export function getRelevantLocations(
   searchQuery: string,
   knownLocations: RelevantLocation[],
 ): RelevantLocation[] {
+  if (typeof searchQuery !== "string") {
+    return [];
+  }
+
+  const normalizedSearchQuery = searchQuery.trim();
+
+  if (
+    normalizedSearchQuery.length === 0 ||
+    normalizedSearchQuery.length > MAX_SEARCH_QUERY_LENGTH
+  ) {
+    logger.warn("location autocomplete query over max length", {
+      length: normalizedSearchQuery.length,
+      maxLength: MAX_SEARCH_QUERY_LENGTH,
+    });
+    return [];
+  }
+
   /**
    * Fully spelled-out names of locations in the US
    *
@@ -55,7 +76,7 @@ export function getRelevantLocations(
 
   const nameIndexes = fuzzySearch.filter(
     locationNamesAndAlternateNames,
-    searchQuery,
+    normalizedSearchQuery,
   );
   if (!nameIndexes) {
     return [];
@@ -64,12 +85,12 @@ export function getRelevantLocations(
   const info = fuzzySearch.info(
     nameIndexes,
     locationNamesAndAlternateNames,
-    searchQuery,
+    normalizedSearchQuery,
   );
   const order = fuzzySearch.sort(
     info,
     locationNamesAndAlternateNames,
-    searchQuery,
+    normalizedSearchQuery,
   );
   // Since `order` contains a ranked array of indexes to the indexes of the most
   // closely matching names, we can retrieve the associated location data from

src/app/api/v1/location-autocomplete/route.ts

@@ -6,10 +6,15 @@ import { NextResponse, NextRequest } from "next/server";
 
 import { RelevantLocation } from "./types";
 // The location autocomplete data will be created during the build step.
-// @ts-ignore-next-line
-import locationData from "../../../../../locationAutocompleteData.json";
+import locationDataJson from "../../../../../locationAutocompleteData.json";
 import { getRelevantLocations } from "./getRelevantLocations";
 
+type LocationDataFile = {
+  data: RelevantLocation[];
+};
+
+const locationData = locationDataJson as LocationDataFile | undefined;
+
 export type MatchingLocations = Array<RelevantLocation> | [];
 
 export interface SearchLocationParams {
@@ -32,24 +37,29 @@ function getLocationsResults({
     maxResults: 5,
   },
 }: SearchLocationParams): SearchLocationResults {
-  if (!locationData) {
+  if (!locationData?.data) {
     throw new Error(
       "No location data available: You may need to run `npm run create-location-data`.",
     );
   }
 
   const { minQueryLength, maxResults } = config;
 
+  const normalizedSearchQuery =
+    typeof searchQuery === "string" ? searchQuery.trim() : "";
+
+  const knownLocations = locationData.data;
+
   const matchingLocations =
-    searchQuery && searchQuery.length >= minQueryLength
-      ? getRelevantLocations(searchQuery, locationData.data)
+    normalizedSearchQuery.length >= minQueryLength
+      ? getRelevantLocations(normalizedSearchQuery, knownLocations)
       : [];
 
   const locationsResults =
     maxResults > 0 ? matchingLocations.slice(0, maxResults) : matchingLocations;
 
   return {
-    searchQuery,
+    searchQuery: normalizedSearchQuery,
     results: locationsResults as MatchingLocations,
   };
 }