Bug 676761 - Entering invalid expression in search bar results in uncaught runtime exception, rather than user friendly error
Summary: Entering invalid expression in search bar results in uncaught runtime excepti...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RHQ Project
Classification: Other
Component: SearchBar
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
medium
medium vote
Target Milestone: ---
: ---
Assignee: Charles Crouch
QA Contact: Mike Foley
URL:
Whiteboard:
Depends On:
Blocks: gwt-search jon3 rhq41-ui
TreeView+ depends on / blocked
 
Reported: 2011-02-11 03:41 UTC by Corey Welton
Modified: 2015-02-01 23:26 UTC (History)
3 users (show)

Fixed In Version: 4.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-03 17:01:22 UTC


Attachments (Terms of Use)
Screenshot (79.44 KB, image/png)
2011-08-25 12:11 UTC, Sunil Kondkar
no flags Details

Description Corey Welton 2011-02-11 03:41:59 UTC
Description of problem:
If a user pastes javascript into the searchbar, an unhandled error is displayed.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Navigate to $resource > inventory
2. In the search bar, enter the string "<script type="text/javascript"> document.write('<b>Hello World</b>'); </script>"
3.  View results
  
Actual results:

	
Message Center :	
Failed to load resource composite data
Severity :	
Error
	
Time :	
Thu 10 Feb 2011 10:40:50 PM EST
Detail :
java.lang.RuntimeException:javax.ejb.EJBException:org.rhq.enterprise.server.search.SearchExpressionException: search pattern error -> org.rhq.enterprise.server.search.SearchExpressionException:search pattern error

Expected results:


Additional info:

Actually, just entering this --

document.write('<b>Hello World</b>')

will cause a similar error

Comment 1 Ian Springer 2011-04-01 16:51:13 UTC
I don't see a security bug here. However, we should be printing a friendly "Invalid search expression." error rather than an ugly stack trace with the SearchExpressionException buried inside it.

Comment 2 Ian Springer 2011-08-24 16:09:11 UTC
[master ad611c8] fixes this. We now display an "Invalid search expression." error message if the user enters an invalid search expression on either the Resource or group list views.

Comment 3 Sunil Kondkar 2011-08-25 12:10:49 UTC
Tested on on build#344 (Version: 4.1.0-SNAPSHOT Build Number: bdc6f5e)

The error message "Invalid search expression." is displayed to the user when user enters invalid search expression on the resource or group list views in 'Inventory->Resources' or 'Inventory->Groups' menu.

However, when a user navigates to 'Inventory->Child Resources' tab of a resource (Ex: Platform resource), and enters the invalid expression, it displays the error "Failed to load resource composite data" in UI.

Below are the details in message center:

Message : Failed to load resource composite data
Severity : Error
	
Time :	Thursday, August 25, 2011 5:21:22 PM Etc/GMT-5:30
Detail :	
java.lang.RuntimeException:[1314273082029] javax.ejb.EJBException:org.rhq.enterprise.server.search.SearchExpressionException: search pattern error -> org.rhq.enterprise.server.search.SearchExpressionException:search pattern error



Below are the steps to reproduce:
1. Login to RHQ.
2. Navigate to the 'Inventory->Child Resources' tab of the inventoried platform.
3. In the search bar, enter the search criteria " document.write('<b>Hello World</b>') "
4. Press Enter key.

Please refer the attached screenshot.

Comment 4 Sunil Kondkar 2011-08-25 12:11:40 UTC
Created attachment 519830 [details]
Screenshot

Comment 5 Ian Springer 2011-08-30 16:08:01 UTC
Good catch - I forgot about the Inventory>Children subtab, which also provides a search bar. [master 74ead91] fixes that.

Comment 6 Sunil Kondkar 2011-08-31 08:42:11 UTC
Verified on build#373 (Version: 4.1.0-SNAPSHOT Build Number: 044113e)

when a user navigates to 'Inventory->Child Resources' tab of a
resource (Ex: Platform resource), and enters the invalid expression, it
displays the expected error message ""Invalid search expression." in UI.

Marking as verified.

Comment 8 Heiko W. Rupp 2013-09-03 17:01:22 UTC
Bulk closing of old issues that are in VERIFIED state.


Note You need to log in before you can comment on or make changes to this bug.