Project

General

Profile

Actions
Copy link

action #133901

open

[ o3 logreport] DBD::Pg::st execute failed: ERROR: invalid input syntax for type bigint: "1'"

Added by tinita 9 months ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Regressions/Crashes
Target version:
QA - future
Start date:
2023-08-07
Due date:
% Done:

0%

Estimated time:
Tags:
alert, reactive work, SQL

Description

Observation

From o3 /var/log/openqa:

[2023-08-05T20:39:10.313025Z] [error] [wjDADFtweJVf] DBIx::Class::Storage::DBI::_dbh_execute(): DBI Exception: DBD::Pg::st execute failed: ERROR:  invalid input
syntax for type bigint: "1'"
CONTEXT:  unnamed portal parameter $1 = '...' [for Statement "SELECT COUNT( * ) FROM scheduled_products me WHERE ( me.id = ? )" with ParamValues: 1='1''] at
/usr/share/openqa/script/../lib/OpenQA/WebAPI/ServerSideDataTable.pm line 33

[2023-08-05T20:40:04.268615Z] [error] [SXp2NHWv1rW-] DBIx::Class::Storage::DBI::_dbh_execute(): DBI Exception: DBD::Pg::st execute failed: ERROR:  invalid input
syntax for type bigint: "1<script>alert(1)</script>"
CONTEXT:  unnamed portal parameter $1 = '...' [for Statement "SELECT COUNT( * ) FROM scheduled_products me WHERE ( me.id = ? )" with ParamValues:
1='1<script>alert(1)</script>'] at /usr/share/openqa/script/../lib/OpenQA/WebAPI/ServerSideDataTable.pm line 33

Happens with this for example: https://openqa.opensuse.org/admin/productlog?id=327913lala

There are 4 places where OpenQA::WebAPI::ServerSideDataTable::render_response is used.

Acceptance Criteria

AC1: Parameters for the mentioned calls are validated

Actions
Copy link
 #1

Updated by tinita 9 months ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by tinita 9 months ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by okurz 9 months ago

  • Tags set to alert, reactive work, SQL
  • Target version set to future
Actions
Copy link

Also available in: Atom PDF