Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-7030

API should refuse requests that lack of mandatory params

    XMLWordPrintable

    Details

    • Type: Incident report
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 2.0.8
    • Fix Version/s: None
    • Component/s: API (A)
    • Labels:

      Description

      JSON requests that lack of mandatory parameter(s) should not lead to database queries.

      Currently an API request like this:

      my $json = { "jsonrpc" => "2.0",
      "method" => "host.update",
      "params" => { "hostid" => "",
      "inventory" =>

      { "vendor" => "foo" }

      },
      "auth" => "$authid",
      "id" => 1
      };

      returns an accurate response:

      {
      'jsonrpc' => '2.0',
      'error' =>

      { 'data' => 'No permissions to referred object or it does not exist!', 'message' => 'Invalid params.', 'code' => -32602 }

      ,
      'id' => 1
      }

      But nevertheless executes the (syntactically wrong) SQL:

      2013-09-19 14:36:14 CEST ERROR: invalid input syntax for integer: "" at character 248
      2013-09-19 14:36:14 CEST STATEMENT: SELECT h.hostid,h.host FROM hosts h WHERE EXISTS (SELECT NULL FROM hosts_groups hgg JOIN rights r ON r.id=hgg.groupid AND r.groupid IN ('17','20','24','25') WHERE h.hostid=hgg.hostid GROUP BY hgg.hostid HAVING MIN(r.permission)>=3) AND h.hostid='' AND h.status IN (0,1)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              okkuv9xh Marc
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: