Bug 1874587
| Summary: | Tags values in report are not escaped - can potentially cause JSON to be invalid | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Mirek Długosz <mzalewsk> |
| Component: | RH Cloud - Inventory | Assignee: | Shimon Shtein <sshtein> |
| Status: | CLOSED ERRATA | QA Contact: | Jameer Pathan <jpathan> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.8.0 | CC: | aruzicka, egolov |
| Target Milestone: | 6.10.0 | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | tfm-rubygem-foreman_rh_cloud-3.0.18 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-16 14:09:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Verified
Verified with:
- Satellite 6.10.0 snap 6
- tfm-rubygem-foreman_rh_cloud-4.0.22-1.el7sat.noarch
Test steps:
- Create Organization, Location, Content view, Lifecycle environment, Hostgroup,
Host collection and Activation key entities with name containing " (double quote) in it.
- Register a content host with satellite using entities created.
- Generate Inventory report.
Observation:
- Valid json report is generated.
- Tag values are escaped properly.
- Host uploaded to c.r.c
Tags from generated json file:
{
"key": "location",
"namespace": "satellite",
"value": "'location \" ' insights'"
},
{
"key": "location",
"namespace": "satellite",
"value": "'location \" ' insights'"
},
{
"key": "hostgroup",
"namespace": "satellite",
"value": "\"host '' group insights\""
},
{
"key": "hostgroup",
"namespace": "satellite",
"value": "\"host '' group insights\""
},
{
"key": "host collection",
"namespace": "satellite",
"value": "hc \" insights ' ' \""
},
{
"key": "organization",
"namespace": "satellite",
"value": "\"organiztion ' ' insights\""
},
{
"key": "lifecycle_environment",
"namespace": "satellite",
"value": "lifecycle ' ' env \" insights"
},
{
"key": "content_view",
"namespace": "satellite",
"value": "cv \" insights \""
},
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4702 |
In generated report slice, we include various Satellite facts inside "tags" object. These values are not escaped and can potentially cause JSON to be invalid. As example, following is perfectly valid host collection name for Satellite: my host collection " double quote Inventory plugin will take that value verbatim and produce following JSON: #v+ "tags": [ {"namespace": "satellite", "key": "host_collection", "value": "my host collection " double quote"} ] #v- This, of course, is not valid JSON - double quotes are not balanced and parser might assume that only `my host collection ` is "value" content - and what follows will cause parser to trip. I verified that on host collection and organization name, but most likely same issue is present for lifecycle environment, content view, activation key, location and hostgroup. All these fields come from user and we should treat them as potentially invalid. Found on: Satellite 6.8 snap 13 pulp-server-2.21.2-1.el7sat.noarch foreman-2.1.2.1-1.el7sat.noarch katello-3.16.0-0.4.rc4.el7sat.noarch satellite-6.8.0-1.el7sat.noarch tfm-rubygem-foreman_rh_cloud-2.0.10-1.el7sat.noarch