A critical vulnerability was discovered in React Server Components (Next.js). Our systems remain protected but we advise to update packages to newest version. Learn More

AI OnAI Off

Access to modifed closure: Track() and MultiSearch<T>.GetResults()

Vote:
 

Reflected code:

        public static IEnumerable<SearchResults<TResult>> GetResult<TResult>(this IMultiSearch<TResult> multiSearch)
        {
            multiSearch.ValidateNotNullArgument("multiSearch");
            List<Tuple<SearchContext, ProjectionHelper>> searchRequests = new List<Tuple<SearchContext, ProjectionHelper>>();
            foreach (ISearch<TResult> search in multiSearch.Searches)
            {
                SearchContext searchContext = new SearchContext();
                search.ApplyActions(searchContext);
                if (searchContext.Projections.Count == 0)
                {
                    throw new NotSupportedException("MultiSearch does not support search queries without a projection. Please use the MultiSearch<>.Search() extensions when registering individual queries");
                }
                ProjectionHelper helper = new ProjectionHelper(search.Client.Conventions, searchContext.Projections, searchContext.Language, search.Client.CustomizeSerializer);
                foreach (Expression expression in searchContext.Projections.Values)
                {
                    helper.ApplySelector(expression, searchContext.RequestBody, searchContext.Language);
                }
                searchRequests.Add(new Tuple<SearchContext, ProjectionHelper>(searchContext, helper));
            }
            List<SearchResults<JObject>> list = multiSearch.Client.MultiSearch<JObject>(from x in searchRequests select new Tuple<SearchRequestBody, Action<SearchCommand>>(x.Item1.RequestBody, x.Item1.CommandAction), null).ToList<SearchResults<JObject>>();
            List<SearchResults<TResult>> list2 = new List<SearchResults<TResult>>();
            WaitCallback callBack = null;
            for (int i = 0; i < list.Count; i++)
            {
                SearchResults<TResult> item = new SearchResults<TResult>(searchRequests[i].Item2.GetMappedResult<TResult>(searchRequests[i].Item1.RequestBody, list[i]));
                if (searchRequests[i].Item1.Track != null)
                {
                    TrackContext state = new TrackContext
                    {
                        Query = searchRequests[i].Item1.RequestBody.Query,
                        Result = item
                    };
                    if (callBack == null)
                    {
                        callBack = delegate(object threadContext)
                        {
                            ((ITrackContext)threadContext).TryTrack(searchRequests[i].Item1.Track);
                        };
                    }
                    ThreadPool.QueueUserWorkItem(callBack, state);
                }
                list2.Add(item);
            }
            return list2;
        }

Will throw ArgumentOfRangeException here:

                        callBack = delegate(object threadContext)
                        {
                            ((ITrackContext)threadContext).TryTrack(searchRequests[i].Item1.Track);
                        };

        

 

#85471
Apr 25, 2014 18:20
Vote:
 

Also check on null here will lead to sending of wrong information to track system:

callBack == null

    

#85472
Edited, Apr 25, 2014 18:54
Vote:
 

Does anyone take care of this?

#86293
May 18, 2014 13:26
Vote:
 

Hi Yauheni,

I have entered this into our bug system to make sure it is triaged and investigated.

Thank you for your reporting this!

Regards,
Håkan

#86618
May 26, 2014 19:10
Daniel Funseth
Daniel Funseth
Vote:
 

Hi,

What is the status of this issue? I cannot find this bug in the EPiServer bug list.

I cannot do a multisearch when using the Track extension. This generates a ArgumentOfRangeException in EPi find.

Regards

Daniel Funseth

#88257
Jul 08, 2014 14:12
Vote:
 

Bug #114704. 

The bug is still under investigation and hasn't been made "public" yet. 

#88355
Jul 09, 2014 14:12
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.