Bug #15307
Foreman API: GETing /api/hosts with per_page=-1 triggers database error
Description
Sending a GET request to "/api/hosts" with "per_page: -1" on a Foreman 1.10.3 server:
2016-06-06 15:28:26 ForemanErrorHandler ():742 CRITICAL: HTTP error "500 Internal Server Error" while GETing https://foreman.edst.ebaintern.de:443/api/hosts?per_page=-1!
2016-06-06 15:28:26 ForemanErrorHandler ():767 CRITICAL: Error returned: Mysql2::Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '-1 OFFSET 0' at line 1: SELECT `hosts`.* FROM `hosts` WHERE `hosts`.`type` IN ('Host::Managed') ORDER BY `hosts`.`name` ASC LIMIT -1 OFFSET 0
"per_page" is apparantly not getting validated to be non-negative when it should be.
History
#1
Updated by Pieter Hollants almost 4 years ago
Updated by I guess a fix for this belongs upstream in the will_paginate rubygem at https://github.com/mislav/will_paginate. Unfortunately its author appears to be a bit overloaded (81 issues, 39 PRs, some of them two years old and trivial (ie. localization)) :/
#2
Updated by Tomer Brisker almost 4 years ago
Updated by I'll try getting this patched in the will_paginate gem.
In any case this is just negative ints that cause the bad query, any other input is striped so no SQLi here.
#3
Updated by Tomer Brisker almost 4 years ago
- Status changed from New to Assigned
- Assignee set to Tomer Brisker
#4
Updated by Michael Moll almost 3 years ago
Updated by Tomer, did this get fixed?
#5
Updated by Tomer Brisker almost 3 years ago
- Status changed from Assigned to New
- Assignee deleted (
Tomer Brisker)
I never got around to this, setting back to new.
#6
Updated by boaz shust over 1 year ago
Updated by Can't reproduce it on 1.20.0-develop.
Seems to be fixed.
#7
Updated by Marek Hulán over 1 year ago
Updated by - Status changed from New to Feedback
Thanks for testing, closing. Please reopen or let us kniw in case it's still reproducible.