Description of problem: If a user pastes javascript into the searchbar, an unhandled error is displayed. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Navigate to $resource > inventory 2. In the search bar, enter the string "<script type="text/javascript"> document.write('<b>Hello World</b>'); </script>" 3. View results Actual results: Message Center : Failed to load resource composite data Severity : Error Time : Thu 10 Feb 2011 10:40:50 PM EST Detail : java.lang.RuntimeException:javax.ejb.EJBException:org.rhq.enterprise.server.search.SearchExpressionException: search pattern error -> org.rhq.enterprise.server.search.SearchExpressionException:search pattern error Expected results: Additional info: Actually, just entering this -- document.write('<b>Hello World</b>') will cause a similar error
I don't see a security bug here. However, we should be printing a friendly "Invalid search expression." error rather than an ugly stack trace with the SearchExpressionException buried inside it.
[master ad611c8] fixes this. We now display an "Invalid search expression." error message if the user enters an invalid search expression on either the Resource or group list views.
Tested on on build#344 (Version: 4.1.0-SNAPSHOT Build Number: bdc6f5e) The error message "Invalid search expression." is displayed to the user when user enters invalid search expression on the resource or group list views in 'Inventory->Resources' or 'Inventory->Groups' menu. However, when a user navigates to 'Inventory->Child Resources' tab of a resource (Ex: Platform resource), and enters the invalid expression, it displays the error "Failed to load resource composite data" in UI. Below are the details in message center: Message : Failed to load resource composite data Severity : Error Time : Thursday, August 25, 2011 5:21:22 PM Etc/GMT-5:30 Detail : java.lang.RuntimeException:[1314273082029] javax.ejb.EJBException:org.rhq.enterprise.server.search.SearchExpressionException: search pattern error -> org.rhq.enterprise.server.search.SearchExpressionException:search pattern error Below are the steps to reproduce: 1. Login to RHQ. 2. Navigate to the 'Inventory->Child Resources' tab of the inventoried platform. 3. In the search bar, enter the search criteria " document.write('<b>Hello World</b>') " 4. Press Enter key. Please refer the attached screenshot.
Created attachment 519830 [details] Screenshot
Good catch - I forgot about the Inventory>Children subtab, which also provides a search bar. [master 74ead91] fixes that.
Verified on build#373 (Version: 4.1.0-SNAPSHOT Build Number: 044113e) when a user navigates to 'Inventory->Child Resources' tab of a resource (Ex: Platform resource), and enters the invalid expression, it displays the expected error message ""Invalid search expression." in UI. Marking as verified.
Bulk closing of old issues that are in VERIFIED state.