Actions
Bug #18744
closed
API - PUT method for applying errata to hosts does not validate values
Description
There seems to be no input validation for parameters provided to /api/hosts/<host>/errata/apply (specifically errata_ids parameter):
$ curl -k -u admin:changeme -X PUT -H 'Content-Type: application/json' -d '{"errata_ids": 1}' https://my-server.com/api/v2/hosts/12977/errata/apply
{"displayMessage":"ERROR: operator does not exist: character varying = integer\nLINE 1: ...ROM \"katello_errata\" WHERE \"katello_errata\".\"errata_id\" = 1\n ^\nHINT: No operator matches the given name and argument type(s). You might need to add explicit type casts.\n","errors":["ERROR: operator does not exist: character varying = integer\nLINE 1: ...ROM \"katello_errata\" WHERE \"katello_errata\".\"errata_id\" = 1\n ^\nHINT: No operator matches the given name and argument type(s). You might need to add explicit type casts.\n"]}
How reproducible:
always
Steps to Reproduce:
1. get some hosts registered
2. send out the request as stated above
Actual results:
no input validation happens on the parameters, so the code uses any input and crashes with it (wrong or null type, etc.)
Expected results:
validation takes place and raise proper exception if the input is invalid, user receives properly formatted error message in the JSON response.
Updated by Kavita Gaikwad about 8 years ago
- Subject changed from API - PUT method for applying errata to hosts does not validate values to API - PUT method for applying errata to hosts does not validate values
- Assignee set to Kavita Gaikwad
Updated by 
Updated by
Actions