Bug 2158526 - Future execution corner case can bypass input validation in the new rex wizard
Summary: Future execution corner case can bypass input validation in the new rex wizard
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Remote Execution
Version: 6.13.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: 6.14.0
Assignee: Maria
QA Contact: Peter Ondrejka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-01-05 16:23 UTC by Peter Ondrejka
Modified: 2023-11-08 14:18 UTC (History)
3 users (show)

Fixed In Version: foreman_remote_execution-9.1.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-11-08 14:18:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
snap 11 state (122.12 KB, image/png)
2023-02-23 14:33 UTC, Adam Ruzicka 		no flags Details
6.14 state (50.04 KB, image/png)
2023-06-13 12:55 UTC, Peter Ondrejka 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SAT-14824 0 None None None 2023-01-09 14:28:40 UTC
Red Hat Product Errata RHSA-2023:6818 0 None None None 2023-11-08 14:18:18 UTC

Description Peter Ondrejka 2023-01-05 16:23:21 UTC 
Description of problem:
It is possible to create a job pending in "No data available" state, using future execution settings in new job wizard

Version-Release number of selected component (if applicable):
6.13 snap 3

How reproducible:
always

Steps to Reproduce:
1. Define a rex job using a new UI
2. Select future execution
3. In the Future execution step, clear the "Starts at" field. For "Starts before" pick current date from the date picker -- in the time field, current time is automatically selected and the input validation correctly shows a warning. Increase the time by one minute.
4. Move to the Review step and wait one minute. When the current time matches the time set in step 3, hit Run

Actual results:
The job is started, remains in no data available status (screen 1)

Expected results:
The job is not run

Additional info:
In step 4 above, if we wait one more minute, the job is not started and "Internal server error" is reported (btw. there could be a nicer message). So it seems that validation upon execution catches current_time > start_before but not current_time = start_before
Comment 3 Adam Ruzicka 2023-02-23 14:33:46 UTC 
Created attachment 1945917 [details]
snap 11 state

On snap 10, I'm observing slightly different behavior. There is no ISE when the job gets triggered. I admit, the user experience isn't exactly great, but it is not as broken as described in #0. I'd consider this an edge case and while it would be nice to have it somehow covered, I wouldn't hold 6.13 for this.
Comment 4 Brad Buckingham 2023-02-23 17:11:38 UTC 
Peter,

Can you review/respond to the feedback in comment 3? 
Do you agree not a blocker for 6.13?

Thanks!
Comment 5 Peter Ondrejka 2023-03-01 13:57:17 UTC 
Hello, I didn't propose this as a blocker, ack to comment 3
Comment 8 Peter Ondrejka 2023-06-13 12:55:24 UTC 
Created attachment 1970657 [details]
6.14 state
Comment 9 Peter Ondrejka 2023-06-13 12:58:27 UTC 
Verified on Sat 6.14 sn 1, the ISE no longer occurs, executing a job after start before date is now prevented even when user stays idle in the wizard for a while (screenshot attached)
Comment 12 errata-xmlrpc 2023-11-08 14:18:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.14 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6818
Note You need to log in before you can comment on or make changes to this bug.