Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-7030

API should refuse requests that lack of mandatory params

XMLWordPrintable

    • Icon: Incident report Incident report
    • Resolution: Duplicate
    • Icon: Minor Minor
    • None
    • 2.0.8
    • API (A)

      JSON requests that lack of mandatory parameter(s) should not lead to database queries.

      Currently an API request like this:

      my $json = { "jsonrpc" => "2.0",
      "method" => "host.update",
      "params" => { "hostid" => "",
      "inventory" =>

      { "vendor" => "foo" }

      },
      "auth" => "$authid",
      "id" => 1
      };

      returns an accurate response:

      {
      'jsonrpc' => '2.0',
      'error' =>

      { 'data' => 'No permissions to referred object or it does not exist!', 'message' => 'Invalid params.', 'code' => -32602 }

      ,
      'id' => 1
      }

      But nevertheless executes the (syntactically wrong) SQL:

      2013-09-19 14:36:14 CEST ERROR: invalid input syntax for integer: "" at character 248
      2013-09-19 14:36:14 CEST STATEMENT: SELECT h.hostid,h.host FROM hosts h WHERE EXISTS (SELECT NULL FROM hosts_groups hgg JOIN rights r ON r.id=hgg.groupid AND r.groupid IN ('17','20','24','25') WHERE h.hostid=hgg.hostid GROUP BY hgg.hostid HAVING MIN(r.permission)>=3) AND h.hostid='' AND h.status IN (0,1)

            Unassigned Unassigned
            okkuv9xh Marc
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: