Bug #19519
closed
Error when trying to save a property using xml tags but property actually saved
Added by Nicolas CHARLES over 3 years ago.
Updated over 1 year ago.
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Infrequent - complex configurations | third party integrations
Description
I tried to save a key-value for group property
hasselhof:<img src="https://scontent-cdg2-1.xx.fbcdn.net/v/t1.6435-9/188471947_332576001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid=174925&_nc_ohc=jdD7OenDGMAAX9bOnpP&_nc_ht=scontent-cdg2-1.xx&oh=fdd31e425c0c5c586b412f9983f520bb&oe=60EBDEBE"/>
Error is
An error occured while saving this new property : Update failed, cause is: Error when logging modification as an event <- Error when persisting event log NodeGroupModified. Cause was: PSQLException: ERROR: invalid XML content Detail: line 1: EntityRef: expecting ';' /v/t1.6435-9/188471947_332576001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb ^ line 1: EntityRef: expecting ';' /188471947_332576001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid ^ line 1: EntityRef: expecting ';' 76001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid=174925&_nc_ohc ^ line 1: EntityRef: expecting ';' 1863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid=174925&_nc_ohc=jdD7OenDGMAAX9bOnpP&_nc_ht ^ line 1: EntityRef: expecting ';' &ccb=1-3&_nc_sid=174925&_nc_ohc=jdD7OenDGMAAX9bOnpP&_nc_ht=scontent-cdg2-1.xx&oh ^ line 1: EntityRef: expecting ';' OenDGMAAX9bOnpP&_nc_ht=scontent-cdg2-1.xx&oh=fdd31e425c0c5c586b412f9983f520bb&oe ^ line 1: chunk is not well balanced.
yet it is indeed saved
Files
And what about the event log since it's what is said to be in error? Is it available in event log page? What about the content?
It seems that we are missing some sanitazition of user input for event log table (ie a CDATA or something like that).
Event log is not saved, so that's a good way to hide properties addition/modifications
- Private changed from No to Yes
- Target version changed from 6.2.9 to 6.2.10
- Target version changed from 6.2.10 to 6.2.11
- Target version changed from 6.2.11 to 6.2.12
- Target version changed from 6.2.12 to 6.2.13
- Subject changed from Error when trying to save a property using xml tags to Error when trying to save a property using xml tags but property actually saved
- Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
- User visibility set to Infrequent - complex configurations | third party integrations
- Priority changed from 0 to 59
This may be a security problem (ie: either escaping is correct and there should be no error, or it's fishy)
And then, cloning the group with that property leads to more errors, but the clone is still done:
- Target version changed from 6.2.13 to 6.2.14
- Priority changed from 59 to 57
- Target version changed from 6.2.14 to 6.2.15
- Priority changed from 57 to 55
- Target version changed from 6.2.15 to 6.2.16
- Priority changed from 55 to 54
- Target version changed from 6.2.16 to 6.2.17
- Target version changed from 6.2.17 to 997
- Priority changed from 54 to 0
- Target version changed from 997 to 6.2.18
- Target version changed from 6.2.18 to 6.2.19
- Target version changed from 6.2.19 to 6.2.20
- Target version changed from 6.2.20 to old 6.2 issues to relocate
- Status changed from New to In progress
- Assignee set to François ARMAND
- Status changed from In progress to New
- Assignee deleted (
François ARMAND)
- Target version changed from old 6.2 issues to relocate to 7.2.7
- Regression set to No
The problem is only for event log. We are not escaping the XML serialisation of the event corresponding to the property addition.
- Status changed from New to In progress
- Assignee set to François ARMAND
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Vincent MEMBRÉ
- Pull Request set to https://github.com/Normation/rudder/pull/4787
- Status changed from Pending technical review to Pending release
- Status changed from Pending release to Released
This bug has been fixed in Rudder 7.2.7 and 7.3.2 which were released today.
- Private changed from Yes to No
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by Anonymous ![https://scontent-cdg2-1.xx.fbcdn.net/v/t1.6435-9/188471947_332576001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid=174925&_nc_ohc=jdD7OenDGMAAX9bOnpP&_nc_ht=scontent-cdg2-1.xx&oh=fdd31e425c0c5c586b412f9983f520bb&oe=60EBDEBE"/](https://scontent-cdg2-1.xx.fbcdn.net/v/t1.6435-9/188471947_332576001570922_6584186680630811863_n.jpg?_nc_cat=111&ccb=1-3&_nc_sid=174925&_nc_ohc=jdD7OenDGMAAX9bOnpP&_nc_ht=scontent-cdg2-1.xx&oh=fdd31e425c0c5c586b412f9983f520bb&oe=60EBDEBE"/){kind=link}