Bug 676761

Summary: Entering invalid expression in search bar results in uncaught runtime exception, rather than user friendly error
Product: [Other] RHQ Project Reporter: Corey Welton <cwelton>
Component: SearchBarAssignee: Charles Crouch <ccrouch>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Foley <mfoley>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0.0CC: ccrouch, hbrock, skondkar
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-03 13:01:22 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 676759, 678340, 730796    
Attachments:
Description Flags
Screenshot none

Description Corey Welton 2011-02-10 22:41:59 EST
Description of problem:
If a user pastes javascript into the searchbar, an unhandled error is displayed.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Navigate to $resource > inventory
2. In the search bar, enter the string "<script type="text/javascript"> document.write('<b>Hello World</b>'); </script>"
3.  View results
  
Actual results:

	
Message Center :	
Failed to load resource composite data
Severity :	
Error
	
Time :	
Thu 10 Feb 2011 10:40:50 PM EST
Detail :
java.lang.RuntimeException:javax.ejb.EJBException:org.rhq.enterprise.server.search.SearchExpressionException: search pattern error -> org.rhq.enterprise.server.search.SearchExpressionException:search pattern error

Expected results:


Additional info:

Actually, just entering this --

document.write('<b>Hello World</b>')

will cause a similar error
Comment 1 Ian Springer 2011-04-01 12:51:13 EDT
I don't see a security bug here. However, we should be printing a friendly "Invalid search expression." error rather than an ugly stack trace with the SearchExpressionException buried inside it.
Comment 2 Ian Springer 2011-08-24 12:09:11 EDT
[master ad611c8] fixes this. We now display an "Invalid search expression." error message if the user enters an invalid search expression on either the Resource or group list views.
Comment 3 Sunil Kondkar 2011-08-25 08:10:49 EDT
Tested on on build#344 (Version: 4.1.0-SNAPSHOT Build Number: bdc6f5e)

The error message "Invalid search expression." is displayed to the user when user enters invalid search expression on the resource or group list views in 'Inventory->Resources' or 'Inventory->Groups' menu.

However, when a user navigates to 'Inventory->Child Resources' tab of a resource (Ex: Platform resource), and enters the invalid expression, it displays the error "Failed to load resource composite data" in UI.

Below are the details in message center:

Message : Failed to load resource composite data
Severity : Error
	
Time :	Thursday, August 25, 2011 5:21:22 PM Etc/GMT-5:30
Detail :	
java.lang.RuntimeException:[1314273082029] javax.ejb.EJBException:org.rhq.enterprise.server.search.SearchExpressionException: search pattern error -> org.rhq.enterprise.server.search.SearchExpressionException:search pattern error



Below are the steps to reproduce:
1. Login to RHQ.
2. Navigate to the 'Inventory->Child Resources' tab of the inventoried platform.
3. In the search bar, enter the search criteria " document.write('<b>Hello World</b>') "
4. Press Enter key.

Please refer the attached screenshot.
Comment 4 Sunil Kondkar 2011-08-25 08:11:40 EDT
Created attachment 519830 [details]
Screenshot
Comment 5 Ian Springer 2011-08-30 12:08:01 EDT
Good catch - I forgot about the Inventory>Children subtab, which also provides a search bar. [master 74ead91] fixes that.
Comment 6 Sunil Kondkar 2011-08-31 04:42:11 EDT
Verified on build#373 (Version: 4.1.0-SNAPSHOT Build Number: 044113e)

when a user navigates to 'Inventory->Child Resources' tab of a
resource (Ex: Platform resource), and enters the invalid expression, it
displays the expected error message ""Invalid search expression." in UI.

Marking as verified.
Comment 8 Heiko W. Rupp 2013-09-03 13:01:22 EDT
Bulk closing of old issues that are in VERIFIED state.