Search raises PGError on feeding a non-integer value for a integer field
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1283933
Description of problem:
while performing a search on any Foreman entity, there is an error raised on filtering integer-based attributes with non-integer values:
This error exposes a SQL query:
PGError: ERROR: invalid input syntax for integer: "not_an_int" LINE 1: ... WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDE... ^ : SELECT "operatingsystems".* FROM "operatingsystems" WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDER BY title LIMIT 20 OFFSET 0
Version-Release number of selected component (if applicable):
- rpm -qa katello
- rpm -qa foreman*
Steps to Reproduce:
1. login to webui
2. go to any foreman entity summary page (e.g. architectures, operating systems,..)
3. type in a query based on an integer-based attribute (e.g. hosts_count) and provide a non-integer value (e.g. hosts_count = 'foo')
Although it is alright for the query to fail, the input should be validated before passed to the actual SQL query (perhaps a sql injection might be possible?).
The neat solution might be to display an error notification as a popup, so user doesn't need to leave the search page every time he makes an error in the search query
no SQL tables were harmed during producing this BZ.
#2 Updated by Dominic Cleal almost 6 years ago
- Subject changed from WebUI - scoped search (foreman instances) raises PGError on feeding a non-integer value for a integer field to Search raises PGError on feeding a non-integer value for a integer field
- Category changed from Web Interface to Search
- Assignee deleted (
- Legacy Backlogs Release (now unused) set to 63
Please don't set the assignee on new bug reports.
#5 Updated by Kavita Gaikwad almost 5 years ago
This issue is related scoped_search gem.
The similar kind of issue is created against scoped_search. Link - https://github.com/wvanbergen/scoped_search/issues/148.
For this issue in scoped_search, someone is already created pull-request. Link - https://github.com/wvanbergen/scoped_search/pull/149
Which might be helpful to get rid of this SQL exception.
#7 Updated by Shimon Shtein almost 5 years ago
We have to wait for an official release of the scoped_search gem. Once it's released, we can add validators to those fields. You can see an example in foreman-tasks: https://github.com/theforeman/foreman-tasks/pull/212
#9 Updated by Shimon Shtein almost 5 years ago
- Assignee changed from Kavita Gaikwad to Shimon Shtein
Scoped search 4.0.0 released. (https://github.com/wvanbergen/scoped_search/releases/tag/v4.0.0)