Univention Bugzilla – Bug 52952
missing input validation in UDM REST API for container/cn properties
Last modified: 2022-11-09 22:00:56 CET
When creating a conatiner/cn object through the UDM REST API and passing as value for the property "printerPath" "none" (instead of a boolean), the API responds with HTTP 500 and a traceback in the body. In the log file: ------------------------------------------------------------------------------ 18.03.21 14:20:42 ERROR ( 26160) : Uncaught exception POST /udm/container/cn/ (0.0.0.0) HTTPServerRequest(protocol='http', host='10.200.3.20', method='POST', uri='/udm/container/cn/', version='HTTP/1.1', remote_ip='0.0.0.0', headers={'X-Umc-Https': 'on', 'Content-Length': '1525', 'Via': '1.1 m20.uni.dtr', 'Accept-Encoding': 'gzip,deflate', 'X-Forwarded-Host': '10.200.3.20', 'X-Forwarded-For': '10.200.3.20', 'Host': '10.200.3.20', 'Accept': 'application/json', 'User-Agent': 'curl/7.52.1', 'Connection': 'close', 'X-Forwarded-Proto': 'https', 'Expect': '100-continue', 'X-Forwarded-Server': 'm20.uni.dtr', 'Content-Type': 'application/json', 'X-Forwarded-Ssl': 'on', 'Authorization': 'Basic QWRtaW5pc3RyYXRvcjp1bml2ZW50aW9u'}) Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/tornado/web.py", line 1469, in _execute result = yield result File "/usr/lib/python2.7/dist-packages/tornado/gen.py", line 1015, in run value = future.result() File "/usr/lib/python2.7/dist-packages/tornado/concurrent.py", line 237, in result raise_exc_info(self._exc_info) File "/usr/lib/python2.7/dist-packages/tornado/gen.py", line 1021, in run yielded = self.gen.throw(*exc_info) File "/usr/lib/python2.7/dist-packages/univention/admin/rest/module.py", line 2512, in post obj = yield obj.create(object_type) File "/usr/lib/python2.7/dist-packages/tornado/gen.py", line 1015, in run value = future.result() File "/usr/lib/python2.7/dist-packages/tornado/concurrent.py", line 237, in result raise_exc_info(self._exc_info) File "/usr/lib/python2.7/dist-packages/tornado/gen.py", line 1021, in run yielded = self.gen.throw(*exc_info) File "/usr/lib/python2.7/dist-packages/univention/admin/rest/module.py", line 2871, in create dn = yield self.pool.submit(self.handle_udm_errors, obj.create) File "/usr/lib/python2.7/dist-packages/tornado/gen.py", line 1015, in run value = future.result() File "/usr/lib/python2.7/dist-packages/concurrent/futures/_base.py", line 398, in result return self.__get_result() File "/usr/lib/python2.7/dist-packages/concurrent/futures/thread.py", line 55, in run result = self.fn(*self.args, **self.kwargs) File "/usr/lib/python2.7/dist-packages/univention/admin/rest/module.py", line 2886, in handle_udm_errors return action() File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create dn = self._create(response=response, serverctrls=serverctrls) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1270, in _create six.reraise(exc[0], exc[1], exc[2]) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1256, in _create self._ldap_post_create() File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/container/cn.py", line 208, in _ldap_post_create if self.info[prop] == '0': KeyError: 'printerPath' 18.03.21 14:20:42 ERROR ( 26160) : 500 POST /udm/container/cn/ (0.0.0.0) 32.11ms ------------------------------------------------------------------------------ The UDM REST API should handle invalid input robustly and respond with HTTP 422.
Created attachment 10655 [details] request data curl -k -X POST -H "Accept: application/json" -H "Content-Type: application/json" https://Administrator:univention@10.200.3.20/univention/udm/container/cn/ --data @template.json
(In reply to Daniel Tröder from comment #0) > When creating a conatiner/cn object through the UDM REST API and passing as > value for the property "printerPath" "none" (instead of a boolean), the API > responds with HTTP 500 and a traceback in the body. In the log file: You mean `printerPath: null`, not the string `"none"`.
passing python "None" to a property is a special case, which means: remove the property.
(In reply to Florian Best from comment #2) > You mean `printerPath: null`, not the string `"none"`. Oh yes… it is JSON :) > passing python "None" to a property is a special case, which means: remove the property. IMHO that is a) weird every for Python and b) not something that a REST API should expose.
Reproducer: curl -H 'Accept: application/json' -s http://Administrator:univention@localhost/univention/udm/container/cn/add | python -m json.tool | sed 's/"printerPath": false/"printerPath": null/g; s/"name": null/"name": "somecontainer"/' > template.json curl -k -X POST -H "Accept: application/json" -H "Content-Type: application/json" http://Administrator:univention@localhost/univention/udm/container/cn/ --data @template.json | python -m json.tool MR: https://git.knut.univention.de/univention/ucs/-/merge_requests/560 → we prevent the exception by just accessing the dict safely.