Task search not properly validating input, throws SQL error
|Assigned To:||Shimon Shtein|
|Target version:||Foreman - Team Ivan Iteration 12|
|Found in release:||Pull request:||https://github.com/wvanbergen/scoped_search/pull/149, https://github.com/theforeman/foreman-tasks/pull/212|
|Velocity based estimate||-|
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1248271
Description of problem:
Depending on expected inputs, user can get a SQL error thrown on Tasks when providing wrong input type.
Steps to Reproduce:
1. Create admin user named 'mmccune'
2. Using 'mmccune', perform a variety of tasks.
3. Monitor > Tasks
4. in search filter, search for owner.id = mmccune (note that this is incorrect; id is expecting an integer)
PGError: ERROR: invalid input syntax for integer: "mmccune" LINE 4: ...) WHERE ((foreman_tasks_locks_owner.resource_id = 'mmccune')... ^ : SELECT "foreman_tasks_tasks".* FROM "foreman_tasks_tasks" INNER JOIN foreman_tasks_locks AS foreman_tasks_locks_owner ON (foreman_tasks_locks_owner.task_id = foreman_tasks_tasks.id AND foreman_tasks_locks_owner.resource_type = 'User' AND foreman_tasks_locks_owner.name = 'task_owner') WHERE ((foreman_tasks_locks_owner.resource_id = 'mmccune')) ORDER BY "foreman_tasks_tasks"."started_at" DESC NULLS LAST LIMIT 20 OFFSET 0
Proper handling of incorrect inputs.
#3 Updated by Shimon Shtein almost 2 years ago
Added an issue in scoped_search with a suggestion to solve: https://github.com/wvanbergen/scoped_search/issues/148