Bug 1283933
| Summary: | WebUI - scoped search raises PGError on feeding a non-integer value for a integer field | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Roman Plevka <rplevka> |
| Component: | Search | Assignee: | Kavita <kgaikwad> |
| Status: | CLOSED ERRATA | QA Contact: | Roman Plevka <rplevka> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | Nightly | CC: | bkearney, jcallaha, kgaikwad, mmccune, sshtein |
| Target Milestone: | 6.4.0 | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://projects.theforeman.org/issues/12547 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-16 18:57:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Created redmine issue http://projects.theforeman.org/issues/12547 from this bug Upstream bug component is Provisioning The error is present on Katello instances as well (scoped search) - All that is needed to reproduce the issue is to put a large number into search box for a model that contains any integer-based fields. The scoped search then queries each field and crashes on the integer one. related to: BZ#1252046 Moving 6.2 bugs out to sat-backlog. Upstream bug component is Search Upstream bug component is Provisioning Upstream bug component is Search Update: This waits for a fix in scoped_search gem. Once the fix is there, we can add a PR to foreman with proper validation. It will require moving to scoped_search 4.0 I am not sure it will get to 6.2 Upstream bug assigned to kgaikwad VERIFIED on sat6.4.0-5 $ curl -sku admin:changeme "https://sat640.com/katello/api/v2/repositories?enabled=true&library=true&organization_id=1&page=1&paged=true&per_page=20&product_id=303&search=02835944670070534073007027150547768990625906784325107068940431181405948459994084618692975345435345345" {"total":1,"subtotal":0,"page":"1","per_page":"20","error":null,"search":"02835944670070534073007027150547768990625906784325107068940431181405948459994084618692975345435345345","sort":{"by":"name","order":"asc"},"results":[]} Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2927 |
Description of problem: while performing a search on any Foreman entity, there is an error raised on filtering integer-based attributes with non-integer values: This error exposes a SQL query: Warning! PGError: ERROR: invalid input syntax for integer: "not_an_int" LINE 1: ... WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDE... ^ : SELECT "operatingsystems".* FROM "operatingsystems" WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDER BY title LIMIT 20 OFFSET 0 Version-Release number of selected component (if applicable): # rpm -qa katello katello-2.4.0-6.nightly.el7.noarch # rpm -qa foreman* foreman-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-proxy-1.11.0-0.develop.201511161424gitf24be74.el7.noarch foreman-release-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-libvirt-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-release-scl-1-1.el7.x86_64 foreman-ovirt-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-postgresql-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-selinux-1.11.0-0.develop.201510071426git6234447.el7.noarch foreman-debug-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-compute-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-gce-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-vmware-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch How reproducible: every time Steps to Reproduce: 1. login to webui 2. go to any foreman entity summary page (e.g. architectures, operating systems,..) 3. type in a query based on an integer-based attribute (e.g. hosts_count) and provide a non-integer value (e.g. hosts_count = 'foo') Actual results: PGError warning Expected results: Although it is alright for the query to fail, the input should be validated before passed to the actual SQL query (perhaps a sql injection might be possible?). The neat solution might be to display an error notification as a popup, so user doesn't need to leave the search page every time he makes an error in the search query Additional info: no SQL tables were harmed during producing this BZ.