search: raise 400 on queries without query (#73420)

combo/apps/search/models.py

@@ -202,6 +202,9 @@ class SearchCell(CellBase):
         if not cell.is_visible(request) or not cell.page.is_visible(request.user):
             raise PermissionDenied
 
+        if 'q' not in request.GET:
+            return HttpResponseBadRequest('missing query parameter')
+
         query = request.GET.get('q')
         if '\x00' in query:  # nul byte
             return HttpResponseBadRequest('invalid query string')

tests/test_search.py

@@ -433,6 +433,9 @@ def test_search_api(app):
     # search nul byte
     resp = app.get('/ajax/search/%s/_text/?q=baz\x00' % cell.id, status=400)
 
+    # search no parameter
+    resp = app.get('/ajax/search/%s/_text/' % cell.id, status=400)
+
 
 def test_search_on_root_page_api(settings, app):
     settings.KNOWN_SERVICES = {}