Bug #18084
closedSearch raises PGError on feeding a non-integer value for a integer field
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1283933
Description of problem:
while performing a search on any Foreman entity, there is an error raised on filtering integer-based attributes with non-integer values:
This error exposes a SQL query:
Warning!
PGError: ERROR: invalid input syntax for integer: "not_an_int" LINE 1: ... WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDE... ^ : SELECT "operatingsystems".* FROM "operatingsystems" WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDER BY title LIMIT 20 OFFSET 0
Version-Release number of selected component (if applicable):
rpm -qa katello
katello-2.4.0-6.nightly.el7.noarch
rpm -qa foreman*
foreman-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-proxy-1.11.0-0.develop.201511161424gitf24be74.el7.noarch
foreman-release-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-libvirt-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-release-scl-1-1.el7.x86_64
foreman-ovirt-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-postgresql-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-selinux-1.11.0-0.develop.201510071426git6234447.el7.noarch
foreman-debug-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-compute-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-gce-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-vmware-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
How reproducible:
every time
Steps to Reproduce:
1. login to webui
2. go to content-view page (e.g. architectures, operating systems,..)
3. type in a query based on an integer-based attribute (e.g. organization_id) and provide a non-integer value (e.g. organization_id = 'foo')
Actual results:
PGError warning
Expected results:
Although it is alright for the query to fail, the input should be validated before passed to the actual SQL query (perhaps a sql injection might be possible?).
The neat solution might be to display an error notification as a popup, so user doesn't need to leave the search page every time he makes an error in the search query
Additional info:
no SQL tables were harmed during producing this BZ.