Bug 1283933 - WebUI - scoped search raises PGError on feeding a non-integer value for a integer field
WebUI - scoped search raises PGError on feeding a non-integer value for a int...
Status: ON_QA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Search (Show other bugs)
Unspecified Unspecified
high Severity high (vote)
: GA
: --
Assigned To: Kavita
Roman Plevka
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2015-11-20 05:24 EST by Roman Plevka
Modified: 2018-05-09 01:54 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 12547 None None None 2016-04-22 11:40 EDT

  None (edit)
Description Roman Plevka 2015-11-20 05:24:42 EST
Description of problem:
while performing a search on any Foreman entity, there is an error raised on filtering integer-based attributes with non-integer values:

This error exposes a SQL query:

PGError: ERROR: invalid input syntax for integer: "not_an_int" LINE 1: ... WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDE... ^ : SELECT "operatingsystems".* FROM "operatingsystems" WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDER BY title LIMIT 20 OFFSET 0

Version-Release number of selected component (if applicable):

# rpm -qa katello
# rpm -qa foreman*

How reproducible:
every time

Steps to Reproduce:
1. login to webui
2. go to any foreman entity summary page (e.g. architectures, operating systems,..)
3. type in a query based on an integer-based attribute (e.g.  hosts_count) and provide a non-integer value (e.g. hosts_count = 'foo')

Actual results:
PGError warning

Expected results:
Although it is alright for the query to fail, the input should be validated before passed to the actual SQL query (perhaps a sql injection might be possible?).
The neat solution might be to display an error notification as a popup, so user doesn't need to leave the search page every time he makes an error in the search query

Additional info:
no SQL tables were harmed during producing this BZ.
Comment 1 Roman Plevka 2015-11-20 05:27:21 EST
Created redmine issue http://projects.theforeman.org/issues/12547 from this bug
Comment 2 Bryan Kearney 2015-11-20 06:02:46 EST
Upstream bug component is Provisioning
Comment 3 Roman Plevka 2016-01-08 07:25:47 EST
The error is present on Katello instances as well (scoped search) -
All that is needed to reproduce the issue is to put a large number into search box for a model that contains any integer-based fields.
The scoped search then queries each field and crashes on the integer one.

related to: BZ#1252046
Comment 4 Bryan Kearney 2016-07-26 15:09:52 EDT
Moving 6.2 bugs out to sat-backlog.
Comment 5 Bryan Kearney 2016-08-10 15:11:15 EDT
Upstream bug component is Search
Comment 6 Bryan Kearney 2016-08-10 16:12:18 EDT
Upstream bug component is Provisioning
Comment 7 Bryan Kearney 2016-08-10 18:11:59 EDT
Upstream bug component is Search
Comment 8 Shimon Shtein 2016-10-13 09:30:23 EDT
Update: This waits for a fix in scoped_search gem. Once the fix is there, we can add a PR to foreman with proper validation.
Comment 9 Shimon Shtein 2016-12-14 07:28:37 EST
It will require moving to scoped_search 4.0 I am not sure it will get to 6.2
Comment 16 pm-sat@redhat.com 2017-09-11 16:15:20 EDT
Upstream bug assigned to kgaikwad@redhat.com

Note You need to log in before you can comment on or make changes to this bug.