Project

General

Profile

Actions

Bug #18084

closed

Search raises PGError on feeding a non-integer value for a integer field

Added by Kavita Gaikwad about 7 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1283933
Description of problem:
while performing a search on any Foreman entity, there is an error raised on filtering integer-based attributes with non-integer values:

This error exposes a SQL query:

Warning!
PGError: ERROR: invalid input syntax for integer: "not_an_int" LINE 1: ... WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDE... ^ : SELECT "operatingsystems".* FROM "operatingsystems" WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDER BY title LIMIT 20 OFFSET 0

Version-Release number of selected component (if applicable):

rpm -qa katello
katello-2.4.0-6.nightly.el7.noarch
rpm -qa foreman*
foreman-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-proxy-1.11.0-0.develop.201511161424gitf24be74.el7.noarch
foreman-release-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-libvirt-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-release-scl-1-1.el7.x86_64
foreman-ovirt-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-postgresql-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-selinux-1.11.0-0.develop.201510071426git6234447.el7.noarch
foreman-debug-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-compute-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-gce-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-vmware-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch

How reproducible:
every time

Steps to Reproduce:
1. login to webui
2. go to content-view page (e.g. architectures, operating systems,..)
3. type in a query based on an integer-based attribute (e.g. organization_id) and provide a non-integer value (e.g. organization_id = 'foo')

Actual results:
PGError warning

Expected results:
Although it is alright for the query to fail, the input should be validated before passed to the actual SQL query (perhaps a sql injection might be possible?).
The neat solution might be to display an error notification as a popup, so user doesn't need to leave the search page every time he makes an error in the search query

Additional info:
no SQL tables were harmed during producing this BZ.


Related issues 1 (0 open1 closed)

Related to Foreman - Bug #12547: Search raises PGError on feeding a non-integer value for a integer fieldClosedKavita Gaikwad11/20/2015Actions
Actions #1

Updated by Kavita Gaikwad about 7 years ago

  • Related to Bug #12547: Search raises PGError on feeding a non-integer value for a integer field added
Actions #2

Updated by The Foreman Bot about 7 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello/pull/6546 added
Actions #3

Updated by Kavita Gaikwad about 7 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #4

Updated by Justin Sherrill about 7 years ago

  • translation missing: en.field_release set to 211
Actions #5

Updated by Kavita Gaikwad about 7 years ago

  • Target version set to 158
Actions

Also available in: Atom PDF