Project

General

Profile

Bug #17343

It is not possible to use empty list as value for optional parameters via API

Added by Stanislav Tkachenko about 2 years ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Category:
API
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Description of problem:
Some entities has optional array parameters that allow nil value. Previously it was possible to send empty list '[]' as value to clear all values, but now according to dLobatog it is not possible because of a new security mechanism in Rails.

Though it affects all the optional parameters, some example entities/parameters are: smart_proxies.locations, location.smart_proxies, organization.smart_proxies, organization.hostgroup_ids.

  1. Update with empty list

Making HTTP PUT request to https://sat6.com/katello/api/v2/organizations/39 with options {'verify': False, 'auth': ('admin', 'changeme'), 'headers': {'content-type': 'application/json'}} and data {"organization": {"smart_proxy_ids": []}}.

  1. Response

Received HTTP 200 response:

{
"name":"XWsKJtxSBN",
"id":39,
"smart_proxies":[ {
"name":"sat6.com",
"id":1,
"url":"https://sat6.com:9090"
}, {
"name":"Oa5c2S",
"id":11,
"url":"https://sat6.com:11629"
}
}

Steps to Reproduce:
1. Create entity that has optional array parameters
2. Update that parameter with some value
3. Update that parameter one more time with empty list
4. Check that values from point 2 not changed

Actual results:
When updating with empty list nothing happens, optional parameter has all previous values

Expected results:
All values should be cleared


Related issues

Related to Foreman - Bug #18155: OrganizationsControllerTest empty array test uses invalid data for form encodingClosed2017-01-19

Associated revisions

Revision 27752930 (diff)
Added by Kavita Gaikwad almost 2 years ago

Fixes #17343 - set deep munge config off

deep_munge was introduced as a solution to keep
Rails secure by default which results in
'empty array becomes nil in params'.
Thats why, set deep_munge config off in application.rb.
Also, added changes which will cast param argument to string
while calling find_by_{string_type_attr} method on object.

History

#1 Updated by Daniel Lobato Garcia about 2 years ago

The reason seems to be that Rails 4 converts these attributes to 'nil' and are ignored.

2016-11-15T13:57:48 b5024cb3 [app] [D] Value for params[:smart_proxy][:locations] was set to nil, because it was one of [], [null] or [null, null, ...]. Go to http://guides.rubyonrails.org/security.html#unsafe-query-generation for more information.

Then when I check smart_proxy_params on the update action, it's gone.

#2 Updated by Marek Hulán about 2 years ago

  • Bugzilla link set to 1395229

#3 Updated by Kavita Gaikwad almost 2 years ago

  • Assignee set to Kavita Gaikwad
  • Target version set to 1.15.6

#4 Updated by Swapnil Abnave almost 2 years ago

  • Target version changed from 1.15.6 to 1.15.1

#5 Updated by The Foreman Bot almost 2 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4042 added

#6 Updated by Kavita Gaikwad almost 2 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#7 Updated by Dominic Cleal almost 2 years ago

  • Legacy Backlogs Release (now unused) set to 189

#8 Updated by Dominic Cleal almost 2 years ago

  • Related to Bug #18155: OrganizationsControllerTest empty array test uses invalid data for form encoding added

Also available in: Atom PDF