Actions
Bug #19519
closed
Error when trying to save a property using xml tags but property actually saved
Pull Request:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Infrequent - complex configurations | third party integrations
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No
Description
I tried to save a key-value for group property
![https://scontent-cdg2-1.xx.fbcdn.net/v/t1.6435-9/188471947_332576001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid=174925&_nc_ohc=jdD7OenDGMAAX9bOnpP&_nc_ht=scontent-cdg2-1.xx&oh=fdd31e425c0c5c586b412f9983f520bb&oe=60EBDEBE"/](https://scontent-cdg2-1.xx.fbcdn.net/v/t1.6435-9/188471947_332576001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid=174925&_nc_ohc=jdD7OenDGMAAX9bOnpP&_nc_ht=scontent-cdg2-1.xx&oh=fdd31e425c0c5c586b412f9983f520bb&oe=60EBDEBE"/){kind=link}
Error is
An error occured while saving this new property : Update failed, cause is: Error when logging modification as an event <- Error when persisting event log NodeGroupModified. Cause was: PSQLException: ERROR: invalid XML content Detail: line 1: EntityRef: expecting ';' /v/t1.6435-9/188471947_332576001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb ^ line 1: EntityRef: expecting ';' /188471947_332576001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid ^ line 1: EntityRef: expecting ';' 76001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid=174925&_nc_ohc ^ line 1: EntityRef: expecting ';' 1863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid=174925&_nc_ohc=jdD7OenDGMAAX9bOnpP&_nc_ht ^ line 1: EntityRef: expecting ';' &ccb=1-3&_nc_sid=174925&_nc_ohc=jdD7OenDGMAAX9bOnpP&_nc_ht=scontent-cdg2-1.xx&oh ^ line 1: EntityRef: expecting ';' OenDGMAAX9bOnpP&_nc_ht=scontent-cdg2-1.xx&oh=fdd31e425c0c5c586b412f9983f520bb&oe ^ line 1: chunk is not well balanced.
yet it is indeed saved
Files
Updated by François ARMAND over 3 years ago
And what about the event log since it's what is said to be in error? Is it available in event log page? What about the content?
It seems that we are missing some sanitazition of user input for event log table (ie a CDATA or something like that).
Updated by Nicolas CHARLES over 3 years ago
Event log is not saved, so that's a good way to hide properties addition/modifications
Updated by Vincent MEMBRÉ over 3 years ago
- Target version changed from 6.2.9 to 6.2.10
Updated by Vincent MEMBRÉ about 3 years ago
- Target version changed from 6.2.10 to 6.2.11
Updated by Vincent MEMBRÉ about 3 years ago
- Target version changed from 6.2.11 to 6.2.12
Updated by Vincent MEMBRÉ almost 3 years ago
- Target version changed from 6.2.12 to 6.2.13
Updated by François ARMAND almost 3 years ago
- Subject changed from Error when trying to save a property using xml tags to Error when trying to save a property using xml tags but property actually saved
- Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
- User visibility set to Infrequent - complex configurations | third party integrations
- Priority changed from 0 to 59
This may be a security problem (ie: either escaping is correct and there should be no error, or it's fishy)
Updated by François ARMAND almost 3 years ago
And then, cloning the group with that property leads to more errors, but the clone is still done: 
Updated by Vincent MEMBRÉ over 2 years ago
- Target version changed from 6.2.13 to 6.2.14
- Priority changed from 59 to 57
Updated by Vincent MEMBRÉ over 2 years ago
- Target version changed from 6.2.14 to 6.2.15
- Priority changed from 57 to 55
Updated by Vincent MEMBRÉ over 2 years ago
- Target version changed from 6.2.15 to 6.2.16
- Priority changed from 55 to 54
Updated by Alexis Mousset over 2 years ago
- Target version changed from 6.2.16 to 6.2.17
Updated by Vincent MEMBRÉ about 2 years ago
- Target version changed from 6.2.17 to 997
- Priority changed from 54 to 0
Updated by Vincent MEMBRÉ about 2 years ago
- Target version changed from 997 to 6.2.18
Updated by Vincent MEMBRÉ about 2 years ago
- Target version changed from 6.2.18 to 6.2.19
Updated by Vincent MEMBRÉ about 2 years ago
- Target version changed from 6.2.19 to 6.2.20
Updated by Vincent MEMBRÉ about 2 years ago
- Target version changed from 6.2.20 to old 6.2 issues to relocate
Updated by François ARMAND over 1 year ago
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by François ARMAND over 1 year ago
- Status changed from In progress to New
- Assignee deleted (
François ARMAND) - Target version changed from old 6.2 issues to relocate to 7.2.7
- Regression set to No
The problem is only for event log. We are not escaping the XML serialisation of the event corresponding to the property addition.
Updated by François ARMAND over 1 year ago
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by François ARMAND over 1 year ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Vincent MEMBRÉ
- Pull Request set to https://github.com/Normation/rudder/pull/4787
Updated by Anonymous over 1 year ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|9d4dbaf2a033921036f96958d7c365a9a5c5b43d.
Updated by Vincent MEMBRÉ over 1 year ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 7.2.7 and 7.3.2 which were released today.
Actions