Bug #12547
closed
Search raises PGError on feeding a non-integer value for a integer field
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1283933
Description of problem:
while performing a search on any Foreman entity, there is an error raised on filtering integer-based attributes with non-integer values:
This error exposes a SQL query:
Warning!
PGError: ERROR: invalid input syntax for integer: "not_an_int" LINE 1: ... WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDE... ^ : SELECT "operatingsystems".* FROM "operatingsystems" WHERE (("operatingsystems"."hostgroups_count" <= 'not_an_int')) ORDER BY title LIMIT 20 OFFSET 0
Version-Release number of selected component (if applicable):
- rpm -qa katello
katello-2.4.0-6.nightly.el7.noarch - rpm -qa foreman*
foreman-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-proxy-1.11.0-0.develop.201511161424gitf24be74.el7.noarch
foreman-release-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-libvirt-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-release-scl-1-1.el7.x86_64
foreman-ovirt-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-postgresql-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-selinux-1.11.0-0.develop.201510071426git6234447.el7.noarch
foreman-debug-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-compute-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-gce-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
foreman-vmware-1.11.0-0.develop.201511181617git2fc4d6d.el7.noarch
How reproducible:
every time
Steps to Reproduce:
1. login to webui
2. go to any foreman entity summary page (e.g. architectures, operating systems,..)
3. type in a query based on an integer-based attribute (e.g. hosts_count) and provide a non-integer value (e.g. hosts_count = 'foo')
Actual results:
PGError warning
Expected results:
Although it is alright for the query to fail, the input should be validated before passed to the actual SQL query (perhaps a sql injection might be possible?).
The neat solution might be to display an error notification as a popup, so user doesn't need to leave the search page every time he makes an error in the search query
Additional info:
no SQL tables were harmed during producing this BZ.
Updated by Dominic Cleal over 8 years ago
- Related to Feature #11150: Allow searching of facts as types other than string added
Updated by Dominic Cleal over 8 years ago
- Subject changed from WebUI - scoped search (foreman instances) raises PGError on feeding a non-integer value for a integer field to Search raises PGError on feeding a non-integer value for a integer field
- Category changed from Web Interface to Search
- Assignee deleted (
Ohad Levy) - translation missing: en.field_release set to 63
Please don't set the assignee on new bug reports.
Updated by Dominic Cleal over 8 years ago
- Related to deleted (Feature #11150: Allow searching of facts as types other than string)
Updated by Dominic Cleal over 8 years ago
- translation missing: en.field_release deleted (
63)
Misread, this is unrelated to the casting in the previously linked bug report as that'll only happen for int inputs.
Updated by Kavita Gaikwad over 7 years ago
This issue is related scoped_search gem.
The similar kind of issue is created against scoped_search. Link - https://github.com/wvanbergen/scoped_search/issues/148.
For this issue in scoped_search, someone is already created pull-request. Link - https://github.com/wvanbergen/scoped_search/pull/149
Which might be helpful to get rid of this SQL exception.
Updated by Shimon Shtein over 7 years ago
We have to wait for an official release of the scoped_search gem. Once it's released, we can add validators to those fields. You can see an example in foreman-tasks: https://github.com/theforeman/foreman-tasks/pull/212
Updated by Shimon Shtein over 7 years ago
- Assignee changed from Kavita Gaikwad to Shimon Shtein
Scoped search 4.0.0 released. (https://github.com/wvanbergen/scoped_search/releases/tag/v4.0.0)
Updated by Dominic Cleal over 7 years ago
- Blocked by Refactor #17574: Update to scoped_search 4.x added
Updated by Kavita Gaikwad over 7 years ago
- Assignee changed from Shimon Shtein to Kavita Gaikwad
Updated by Kavita Gaikwad over 7 years ago
- Target version changed from 1.15.6 to 1.15.4
Updated by Anurag Patel over 7 years ago
- Target version changed from 1.15.4 to 158
Updated by The Foreman Bot over 7 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/4191 added
Updated by Kavita Gaikwad over 7 years ago
- Related to Bug #18084: Search raises PGError on feeding a non-integer value for a integer field added
Updated by Kavita Gaikwad over 7 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 3ab02530da61926a1fbb70135c7bce51534c3fd6.
Updated by Dominic Cleal over 7 years ago
- translation missing: en.field_release set to 209