Project

General

Profile

Actions

Bug #19519

closed

Error when trying to save a property using xml tags but property actually saved

Added by Nicolas CHARLES over 3 years ago. Updated over 1 year ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Infrequent - complex configurations | third party integrations
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No

Description

I tried to save a key-value for group property

hasselhof:<img src="https://scontent-cdg2-1.xx.fbcdn.net/v/t1.6435-9/188471947_332576001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid=174925&_nc_ohc=jdD7OenDGMAAX9bOnpP&_nc_ht=scontent-cdg2-1.xx&oh=fdd31e425c0c5c586b412f9983f520bb&oe=60EBDEBE&quot;/>

Error is

 An error occured while saving this new property : Update failed, cause is: Error when logging modification as an event <- Error when persisting event log NodeGroupModified. Cause was: PSQLException: ERROR: invalid XML content Detail: line 1: EntityRef: expecting ';' /v/t1.6435-9/188471947_332576001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb ^ line 1: EntityRef: expecting ';' /188471947_332576001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid ^ line 1: EntityRef: expecting ';' 76001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid=174925&_nc_ohc ^ line 1: EntityRef: expecting ';' 1863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid=174925&_nc_ohc=jdD7OenDGMAAX9bOnpP&_nc_ht ^ line 1: EntityRef: expecting ';' &ccb=1-3&_nc_sid=174925&_nc_ohc=jdD7OenDGMAAX9bOnpP&_nc_ht=scontent-cdg2-1.xx&oh ^ line 1: EntityRef: expecting ';' OenDGMAAX9bOnpP&_nc_ht=scontent-cdg2-1.xx&oh=fdd31e425c0c5c586b412f9983f520bb&oe ^ line 1: chunk is not well balanced.

yet it is indeed saved


Files

clipboard-202201271551-sspqy.png (58.1 KB) clipboard-202201271551-sspqy.png François ARMAND, 2022-01-27 15:51
Actions #1

Updated by François ARMAND over 3 years ago

And what about the event log since it's what is said to be in error? Is it available in event log page? What about the content?

It seems that we are missing some sanitazition of user input for event log table (ie a CDATA or something like that).

Actions #2

Updated by Nicolas CHARLES over 3 years ago

Event log is not saved, so that's a good way to hide properties addition/modifications

Actions #3

Updated by Nicolas CHARLES over 3 years ago

  • Private changed from No to Yes
Actions #4

Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 6.2.9 to 6.2.10
Actions #5

Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 6.2.10 to 6.2.11
Actions #6

Updated by Vincent MEMBRÉ about 3 years ago

  • Target version changed from 6.2.11 to 6.2.12
Actions #7

Updated by Vincent MEMBRÉ about 3 years ago

  • Target version changed from 6.2.12 to 6.2.13
Actions #8

Updated by François ARMAND almost 3 years ago

  • Subject changed from Error when trying to save a property using xml tags to Error when trying to save a property using xml tags but property actually saved
  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • User visibility set to Infrequent - complex configurations | third party integrations
  • Priority changed from 0 to 59

This may be a security problem (ie: either escaping is correct and there should be no error, or it's fishy)

Actions #9

Updated by François ARMAND almost 3 years ago

And then, cloning the group with that property leads to more errors, but the clone is still done:

Actions #10

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 6.2.13 to 6.2.14
  • Priority changed from 59 to 57
Actions #11

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 6.2.14 to 6.2.15
  • Priority changed from 57 to 55
Actions #12

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 6.2.15 to 6.2.16
  • Priority changed from 55 to 54
Actions #13

Updated by Alexis Mousset over 2 years ago

  • Target version changed from 6.2.16 to 6.2.17
Actions #14

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 6.2.17 to 997
  • Priority changed from 54 to 0
Actions #15

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 997 to 6.2.18
Actions #16

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 6.2.18 to 6.2.19
Actions #17

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 6.2.19 to 6.2.20
Actions #18

Updated by Vincent MEMBRÉ about 2 years ago

  • Target version changed from 6.2.20 to old 6.2 issues to relocate
Actions #19

Updated by François ARMAND over 1 year ago

  • Status changed from New to In progress
  • Assignee set to François ARMAND
Actions #20

Updated by François ARMAND over 1 year ago

  • Status changed from In progress to New
  • Assignee deleted (François ARMAND)
  • Target version changed from old 6.2 issues to relocate to 7.2.7
  • Regression set to No

The problem is only for event log. We are not escaping the XML serialisation of the event corresponding to the property addition.

Actions #21

Updated by François ARMAND over 1 year ago

  • Status changed from New to In progress
  • Assignee set to François ARMAND
Actions #22

Updated by François ARMAND over 1 year ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Vincent MEMBRÉ
  • Pull Request set to https://github.com/Normation/rudder/pull/4787
Actions #23

Updated by Anonymous over 1 year ago

  • Status changed from Pending technical review to Pending release
Actions #24

Updated by Vincent MEMBRÉ over 1 year ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 7.2.7 and 7.3.2 which were released today.

Actions #25

Updated by Alexis Mousset over 1 year ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF