Plugins » Katello

There seems to be no input validation for parameters provided to /api/hosts/<host>/errata/apply (specifically errata_ids parameter):

$ curl -k -u admin:changeme -X PUT -H 'Content-Type: application/json' -d '{"errata_ids": 1}' https://my-server.com/api/v2/hosts/12977/errata/apply
{"displayMessage":"ERROR:  operator does not exist: character varying = integer\nLINE 1: ...ROM \"katello_errata\"  WHERE \"katello_errata\".\"errata_id\" = 1\n                                                                    ^\nHINT:  No operator matches the given name and argument type(s). You might need to add explicit type casts.\n","errors":["ERROR:  operator does not exist: character varying = integer\nLINE 1: ...ROM \"katello_errata\"  WHERE \"katello_errata\".\"errata_id\" = 1\n                                                                    ^\nHINT:  No operator matches the given name and argument type(s). You might need to add explicit type casts.\n"]}

How reproducible:
always

Steps to Reproduce:
1. get some hosts registered
2. send out the request as stated above

Actual results:
no input validation happens on the parameters, so the code uses any input and crashes with it (wrong or null type, etc.)

Expected results:
validation takes place and raise proper exception if the input is invalid, user receives properly formatted error message in the JSON response.