Passing an empty string as objectId to the SearchClient.DeleteObject deletes the entire index (not just a record, but the entire index, configuration, settings, etc). Example mySearchClient.DeleteObjectAsync("my_index", "")
-
The null check is the only guard (SearchClient.cs:6654):
if (objectID == null)
throw new ArgumentException("Parameter objectID is required when calling DeleteObject.");
An empty string passes this check.
-
ParameterToString("") returns "" (QueryStringHelper.cs:32-53)
— the default branch hits Convert.ToString("", ...) which is just
"". No empty-string handling.
-
The path template gets a literal empty substitution
(HttpTransport.cs:399):
path = path.Replace("{" + parameter.Key + "}",
Uri.EscapeDataString(parameter.Value));
Template /1/indexes/{indexName}/{objectID} becomes
/1/indexes/myIndex/ (trailing slash, empty segment).
Uri.EscapeDataString("") is "", so no protection there either.
-
What Algolia's API does with DELETE /1/indexes/myIndex/ — the
delete-index endpoint is DELETE /1/indexes/{indexName} (you can
see it just above at SearchClient.cs:6628). Algolia's gateway
normalizes trailing slashes, so DELETE /1/indexes/myIndex/ is
treated as DELETE /1/indexes/myIndex — which deletes the entire
index (records + settings). It is not the same as "clear index"
(POST /1/indexes/{name}/clear); a delete is more destructive
because it also drops settings, replicas config, etc.
Conclusion: Calling DeleteObject(indexName, "") with the C# SDK
at this commit will send a request that Algolia routes to the
delete-index endpoint and wipes the whole index. The SDK does not
validate against empty, and the URL builder happily produces the
trailing-slash path. Given your recent commits (e996d8f
Implement null/empty item_id check, e24a68c Don't do Algolia
deletes), it sounds like you've already homed in on this — the
null/empty guard at the call site is the right fix; do not rely
on the SDK to catch it.
Passing an empty string as objectId to the SearchClient.DeleteObject deletes the entire index (not just a record, but the entire index, configuration, settings, etc). Example mySearchClient.DeleteObjectAsync("my_index", "")
algoliasearch-client-csharp/algoliasearch/Clients/SearchClient.cs
Line 6654 in 32ecd39
The null check is the only guard (SearchClient.cs:6654):
if (objectID == null)
throw new ArgumentException("Parameter
objectIDis required when callingDeleteObject.");An empty string passes this check.
ParameterToString("") returns "" (QueryStringHelper.cs:32-53)
— the default branch hits Convert.ToString("", ...) which is just
"". No empty-string handling.
The path template gets a literal empty substitution
(HttpTransport.cs:399):
path = path.Replace("{" + parameter.Key + "}",
Uri.EscapeDataString(parameter.Value));
Template /1/indexes/{indexName}/{objectID} becomes
/1/indexes/myIndex/ (trailing slash, empty segment).
Uri.EscapeDataString("") is "", so no protection there either.
What Algolia's API does with DELETE /1/indexes/myIndex/ — the
delete-index endpoint is DELETE /1/indexes/{indexName} (you can
see it just above at SearchClient.cs:6628). Algolia's gateway
normalizes trailing slashes, so DELETE /1/indexes/myIndex/ is
treated as DELETE /1/indexes/myIndex — which deletes the entire
index (records + settings). It is not the same as "clear index"
(POST /1/indexes/{name}/clear); a delete is more destructive
because it also drops settings, replicas config, etc.
Conclusion: Calling DeleteObject(indexName, "") with the C# SDK
at this commit will send a request that Algolia routes to the
delete-index endpoint and wipes the whole index. The SDK does not
validate against empty, and the URL builder happily produces the
trailing-slash path. Given your recent commits (e996d8f
Implement null/empty item_id check, e24a68c Don't do Algolia
deletes), it sounds like you've already homed in on this — the
null/empty guard at the call site is the right fix; do not rely
on the SDK to catch it.