Bug #15307
closed
Foreman API: GETing /api/hosts with per_page=-1 triggers database error
Description
Sending a GET request to "/api/hosts" with "per_page: -1" on a Foreman 1.10.3 server:
2016-06-06 15:28:26 ForemanErrorHandler ():742 CRITICAL: HTTP error "500 Internal Server Error" while GETing https://foreman.edst.ebaintern.de:443/api/hosts?per_page=-1!
2016-06-06 15:28:26 ForemanErrorHandler ():767 CRITICAL: Error returned: Mysql2::Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '-1 OFFSET 0' at line 1: SELECT `hosts`.* FROM `hosts` WHERE `hosts`.`type` IN ('Host::Managed') ORDER BY `hosts`.`name` ASC LIMIT -1 OFFSET 0
"per_page" is apparantly not getting validated to be non-negative when it should be.
Updated by Pieter Hollants about 10 years ago
I guess a fix for this belongs upstream in the will_paginate rubygem at https://github.com/mislav/will_paginate. Unfortunately its author appears to be a bit overloaded (81 issues, 39 PRs, some of them two years old and trivial (ie. localization)) :/
Updated by Tomer Brisker about 10 years ago
I'll try getting this patched in the will_paginate gem.
In any case this is just negative ints that cause the bad query, any other input is striped so no SQLi here.
Updated by Tomer Brisker about 10 years ago
- Status changed from New to Assigned
- Assignee set to Tomer Brisker
Updated by Anonymous
Updated by Tomer Brisker about 9 years ago
- Status changed from Assigned to New
- Assignee deleted (
Tomer Brisker)
I never got around to this, setting back to new.
Updated by boaz shust almost 8 years ago
Can't reproduce it on 1.20.0-develop.
Seems to be fixed.
Updated by Marek Hulán almost 8 years ago
- Status changed from New to Feedback
Thanks for testing, closing. Please reopen or let us kniw in case it's still reproducible.