Open
Bug 1232203
Opened 9 years ago
Updated 7 years ago
Add extensive parameter validation to all external APIs
Categories
(Bugzilla :: WebService, defect)
Bugzilla
WebService
Tracking
()
NEW
Bugzilla 6.0
People
(Reporter: dylan, Assigned: dylanAtHome)
References
Details
Bug #1230932 comment 20, Frédéric Buclin notes: > All the WS methods are very lenient about input data. They simply make sure > that mandatory parameters are defined, but they do not check that parameters > (both mandatory and optional) are of the expected format (i.e. strings or > integers, most of the time). This is out of the scope of this bug, but we > should really improve validators in Bugzilla/WebService/*.pm. That's IMO not > the job of Bugzilla/*.pm to do these checks as they are supposed to be used > internally only, where the data format is not controlled by users. So it's the > job of the API to pass correctly formatted data to internal methods. As those changes were outside the scope of that bug, they are within the scope of this bug.
Reporter | ||
Updated•9 years ago
|
Assignee: webservice → dylan
Target Milestone: --- → Bugzilla 6.0
Version: 5.0.1 → unspecified
Reporter | ||
Comment 1•8 years ago
|
||
Additional problems with param validation: rest/bug/update takes a comment: { body: "foo" } and if you pass a comment: "foo" it dies with a HASH error.
Comment 2•8 years ago
|
||
For instance, this call works, despite 'names' should be an array of strings only: my $call = rpc_call('Bug.fields', { names => [{ id => 8 }] }); because Bug.fields does: my $names = $params->{names}; foreach my $field_name (@$names) { my $loop_field = Bugzilla::Field->check($field_name); and so you can pass { id => 8 } directly to check(). Fortunately, passing 'id' is safe, because Bugzilla::Object->check will make sure that this parameter is an integer. If you try to pass: my $call = rpc_call('Bug.fields', { names => [{ conditions => ..., values => ... }] }); then Bug.fields happily accepts it (oops!), but fortunately Bugzilla::Object->check() will refuse it because it wants either 'id' or 'name' to be defined, and so the conditions/values code is never reached. But this is a weak and dangerous protection. The API should have caught this illegal input earlier.
Reporter | ||
Updated•7 years ago
|
Assignee: dylan → dylan
You need to log in
before you can comment on or make changes to this bug.
Description
•