Hide Forgot
Description of problem: while performing a search on any Foreman entity, there is an error raised on filtering integer-based attributes with non-integer values: This error exposes a SQL query: Warning! PGError: ERROR: invalid input syntax for integer: "not_an_int" LINE 1: ... WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDE... ^ : SELECT "operatingsystems".* FROM "operatingsystems" WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDER BY title LIMIT 20 OFFSET 0 Version-Release number of selected component (if applicable): # rpm -qa katello katello-2.4.0-6.nightly.el7.noarch # rpm -qa foreman* foreman-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-proxy-1.11.0-0.develop.201511161424gitf24be74.el7.noarch foreman-release-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-libvirt-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-release-scl-1-1.el7.x86_64 foreman-ovirt-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-postgresql-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-selinux-1.11.0-0.develop.201510071426git6234447.el7.noarch foreman-debug-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-compute-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-gce-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch foreman-vmware-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch How reproducible: every time Steps to Reproduce: 1. login to webui 2. go to any foreman entity summary page (e.g. architectures, operating systems,..) 3. type in a query based on an integer-based attribute (e.g. hosts_count) and provide a non-integer value (e.g. hosts_count = 'foo') Actual results: PGError warning Expected results: Although it is alright for the query to fail, the input should be validated before passed to the actual SQL query (perhaps a sql injection might be possible?). The neat solution might be to display an error notification as a popup, so user doesn't need to leave the search page every time he makes an error in the search query Additional info: no SQL tables were harmed during producing this BZ.
Created redmine issue http://projects.theforeman.org/issues/12547 from this bug
Upstream bug component is Provisioning
The error is present on Katello instances as well (scoped search) - All that is needed to reproduce the issue is to put a large number into search box for a model that contains any integer-based fields. The scoped search then queries each field and crashes on the integer one. related to: BZ#1252046
Moving 6.2 bugs out to sat-backlog.
Upstream bug component is Search
Update: This waits for a fix in scoped_search gem. Once the fix is there, we can add a PR to foreman with proper validation.
It will require moving to scoped_search 4.0 I am not sure it will get to 6.2
Upstream bug assigned to kgaikwad@redhat.com
VERIFIED on sat6.4.0-5 $ curl -sku admin:changeme "https://sat640.com/katello/api/v2/repositories?enabled=true&library=true&organization_id=1&page=1&paged=true&per_page=20&product_id=303&search=02835944670070534073007027150547768990625906784325107068940431181405948459994084618692975345435345345" {"total":1,"subtotal":0,"page":"1","per_page":"20","error":null,"search":"02835944670070534073007027150547768990625906784325107068940431181405948459994084618692975345435345345","sort":{"by":"name","order":"asc"},"results":[]}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2927