First Last Prev Next    This bug is not in your last search results.
Bug 52952 - missing input validation in UDM REST API for container/cn properties
missing input validation in UDM REST API for container/cn properties
Status: RESOLVED MOVED
Product: UCS
Classification: Unclassified
Component: UDM - REST API
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Florian Best
UMC maintainers
https://git.knut.univention.de/univen...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-03-18 14:27 CET by Daniel Tröder
Modified: 2022-11-09 22:00 CET (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
request data (1.54 KB, application/json)
2021-03-18 14:33 CET, Daniel Tröder 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2021-03-18 14:27:28 CET 
When creating a conatiner/cn object through the UDM REST API and passing as value for the property "printerPath" "none" (instead of a boolean), the API responds with HTTP 500 and a traceback in the body. In the log file:

------------------------------------------------------------------------------
18.03.21 14:20:42       ERROR      (    26160) : Uncaught exception POST /udm/container/cn/ (0.0.0.0)
    HTTPServerRequest(protocol='http', host='10.200.3.20', method='POST', uri='/udm/container/cn/', version='HTTP/1.1', remote_ip='0.0.0.0', headers={'X-Umc-Https': 'on', 'Content-Length': '1525', 'Via': '1.1 m20.uni.dtr', 'Accept-Encoding': 'gzip,deflate', 'X-Forwarded-Host': '10.200.3.20', 'X-Forwarded-For': '10.200.3.20', 'Host': '10.200.3.20', 'Accept': 'application/json', 'User-Agent': 'curl/7.52.1', 'Connection': 'close', 'X-Forwarded-Proto': 'https', 'Expect': '100-continue', 'X-Forwarded-Server': 'm20.uni.dtr', 'Content-Type': 'application/json', 'X-Forwarded-Ssl': 'on', 'Authorization': 'Basic QWRtaW5pc3RyYXRvcjp1bml2ZW50aW9u'})
    Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/tornado/web.py", line 1469, in _execute
        result = yield result
      File "/usr/lib/python2.7/dist-packages/tornado/gen.py", line 1015, in run
        value = future.result()
      File "/usr/lib/python2.7/dist-packages/tornado/concurrent.py", line 237, in result
        raise_exc_info(self._exc_info)
      File "/usr/lib/python2.7/dist-packages/tornado/gen.py", line 1021, in run
        yielded = self.gen.throw(*exc_info)
      File "/usr/lib/python2.7/dist-packages/univention/admin/rest/module.py", line 2512, in post
        obj = yield obj.create(object_type)
      File "/usr/lib/python2.7/dist-packages/tornado/gen.py", line 1015, in run
        value = future.result()
      File "/usr/lib/python2.7/dist-packages/tornado/concurrent.py", line 237, in result
        raise_exc_info(self._exc_info)
      File "/usr/lib/python2.7/dist-packages/tornado/gen.py", line 1021, in run
        yielded = self.gen.throw(*exc_info)
      File "/usr/lib/python2.7/dist-packages/univention/admin/rest/module.py", line 2871, in create
        dn = yield self.pool.submit(self.handle_udm_errors, obj.create)
      File "/usr/lib/python2.7/dist-packages/tornado/gen.py", line 1015, in run
        value = future.result()
      File "/usr/lib/python2.7/dist-packages/concurrent/futures/_base.py", line 398, in result
        return self.__get_result()
      File "/usr/lib/python2.7/dist-packages/concurrent/futures/thread.py", line 55, in run
        result = self.fn(*self.args, **self.kwargs)
      File "/usr/lib/python2.7/dist-packages/univention/admin/rest/module.py", line 2886, in handle_udm_errors
        return action()
      File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create
        dn = self._create(response=response, serverctrls=serverctrls)
      File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1270, in _create
        six.reraise(exc[0], exc[1], exc[2])
      File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1256, in _create
        self._ldap_post_create()
      File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/container/cn.py", line 208, in _ldap_post_create
        if self.info[prop] == '0':
    KeyError: 'printerPath'
18.03.21 14:20:42       ERROR      (    26160) : 500 POST /udm/container/cn/ (0.0.0.0) 32.11ms
------------------------------------------------------------------------------

The UDM REST API should handle invalid input robustly and respond with HTTP 422.
Comment 1 Daniel Tröder univentionstaff 2021-03-18 14:33:22 CET 
Created attachment 10655 [details]
request data

curl -k -X POST -H "Accept: application/json" -H "Content-Type: application/json" https://Administrator:univention@10.200.3.20/univention/udm/container/cn/  --data @template.json
Comment 2 Florian Best univentionstaff 2021-03-18 14:59:05 CET 
(In reply to Daniel Tröder from comment #0)
> When creating a conatiner/cn object through the UDM REST API and passing as
> value for the property "printerPath" "none" (instead of a boolean), the API
> responds with HTTP 500 and a traceback in the body. In the log file:


You mean `printerPath: null`, not the string `"none"`.
Comment 3 Florian Best univentionstaff 2021-03-18 15:01:52 CET 
passing python "None" to a property is a special case, which means: remove the property.
Comment 4 Daniel Tröder univentionstaff 2021-03-18 16:50:23 CET 
(In reply to Florian Best from comment #2)
> You mean `printerPath: null`, not the string `"none"`.
Oh yes… it is JSON :)

> passing python "None" to a property is a special case, which means: remove the property.
IMHO that is a) weird every for Python and b) not something that a REST API should expose.
Comment 5 Florian Best univentionstaff 2022-11-09 22:00:56 CET 
Reproducer:
curl -H 'Accept: application/json' -s http://Administrator:univention@localhost/univention/udm/container/cn/add | python -m json.tool | sed 's/"printerPath": false/"printerPath": null/g; s/"name": null/"name": "somecontainer"/' > template.json
curl -k -X POST -H "Accept: application/json" -H "Content-Type: application/json"  http://Administrator:univention@localhost/univention/udm/container/cn/ --data @template.json | python -m json.tool

MR: https://git.knut.univention.de/univention/ucs/-/merge_requests/560
→ we prevent the exception by just accessing the dict safely.
First Last Prev Next    This bug is not in your last search results.