Foreman API: GETing /api/hosts with per_page=-1 triggers database error
Sending a GET request to "/api/hosts" with "per_page: -1" on a Foreman 1.10.3 server:
2016-06-06 15:28:26 ForemanErrorHandler ():742 CRITICAL: HTTP error "500 Internal Server Error" while GETing https://foreman.edst.ebaintern.de:443/api/hosts?per_page=-1!
2016-06-06 15:28:26 ForemanErrorHandler ():767 CRITICAL: Error returned: Mysql2::Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '-1 OFFSET 0' at line 1: SELECT `hosts`.* FROM `hosts` WHERE `hosts`.`type` IN ('Host::Managed') ORDER BY `hosts`.`name` ASC LIMIT -1 OFFSET 0
"per_page" is apparantly not getting validated to be non-negative when it should be.
I guess a fix for this belongs upstream in the will_paginate rubygem at https://github.com/mislav/will_paginate. Unfortunately its author appears to be a bit overloaded (81 issues, 39 PRs, some of them two years old and trivial (ie. localization)) :/
I'll try getting this patched in the will_paginate gem.
In any case this is just negative ints that cause the bad query, any other input is striped so no SQLi here.
- Status changed from New to Assigned
- Assignee set to Tomer Brisker
Tomer, did this get fixed?
- Status changed from Assigned to New
- Assignee deleted (
I never got around to this, setting back to new.
Can't reproduce it on 1.20.0-develop.
Seems to be fixed.
- Status changed from New to Feedback
Thanks for testing, closing. Please reopen or let us kniw in case it's still reproducible.
Also available in: Atom