Project

General

Profile

Actions
Copy link

Bug #18084

closed

Search raises PGError on feeding a non-integer value for a integer field

Added by Kavita Gaikwad almost 8 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Kavita Gaikwad
Category:
-
Target version:
Katello 3.4.0
Difficulty:
Triaged:
Bugzilla link:
1283933
Pull request:
https://github.com/Katello/katello/pull/6546
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1283933
Description of problem:
while performing a search on any Foreman entity, there is an error raised on filtering integer-based attributes with non-integer values:

This error exposes a SQL query:

Warning!
PGError: ERROR: invalid input syntax for integer: "not_an_int" LINE 1: ... WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDE... ^ : SELECT "operatingsystems".* FROM "operatingsystems" WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDER BY title LIMIT 20 OFFSET 0

Version-Release number of selected component (if applicable):

rpm -qa katello
    katello-2.4.0-6.nightly.el7.noarch
    rpm -qa foreman*
    foreman-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
    foreman-proxy-1.11.0-0.develop.201511161424gitf24be74.el7.noarch
    foreman-release-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
    foreman-libvirt-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
    foreman-release-scl-1-1.el7.x86_64
    foreman-ovirt-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
    foreman-postgresql-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
    foreman-selinux-1.11.0-0.develop.201510071426git6234447.el7.noarch
    foreman-debug-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
    foreman-compute-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
    foreman-gce-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
    foreman-vmware-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch

How reproducible:
every time

Steps to Reproduce:
1. login to webui
2. go to content-view page (e.g. architectures, operating systems,..)
3. type in a query based on an integer-based attribute (e.g. organization_id) and provide a non-integer value (e.g. organization_id = 'foo')

Actual results:
PGError warning

Expected results:
Although it is alright for the query to fail, the input should be validated before passed to the actual SQL query (perhaps a sql injection might be possible?).
The neat solution might be to display an error notification as a popup, so user doesn't need to leave the search page every time he makes an error in the search query

Additional info:
no SQL tables were harmed during producing this BZ.

Related issues 1 (0 open1 closed)

Related to Foreman - Bug #12547: Search raises PGError on feeding a non-integer value for a integer fieldClosedKavita Gaikwad11/20/2015Actions
Actions
Copy link
 #1

Updated by Kavita Gaikwad almost 8 years ago

  • Related to Bug #12547: Search raises PGError on feeding a non-integer value for a integer field added
Actions
Copy link
 #2

Updated by The Foreman Bot almost 8 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello/pull/6546 added
Actions
Copy link
 #3

Updated by Kavita Gaikwad almost 8 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions
Copy link
 #4

Updated by Justin Sherrill almost 8 years ago

  • Translation missing: en.field_release set to 211
Actions
Copy link
 #5

Updated by Kavita Gaikwad almost 8 years ago

  • Target version set to 158
Actions
Copy link

Also available in: Atom PDF