Bug #5738: [API] Validate that selected columns are selectable, and return an error if not - Arvados

Bug #5738

Updated by Tom Clegg almost 10 years ago

h3. Background 

 Insufficient sanity checking causes an easy client error to generate an obtuse error message. 

 h3. Resolution 

 Before doing queries, verify that the "select" parameter provided by the client (if any) is not empty and does not contain any invalid entries. 

 h3. Initial bug report 

 <pre> 
 $ bundle exec arv collection list --filters='[["uuid", "=", "su92l-4zz18-hll1sflwwh8ogk1"]]' --select '["writable_by"]' 
 Error: #<ActiveRecord::StatementInvalid: PG::SyntaxError: ERROR:    syntax error at or near "FROM" 
 LINE 1: SELECT     FROM "collections"    WHERE (expires_at IS NULL or ex... 
                  ^ 
 : SELECT     FROM "collections"    WHERE (expires_at IS NULL or expires_at > CURRENT_TIMESTAMP) AND ((collections.uuid = 'su92l-4zz18-hll1sflwwh8ogk1')) LIMIT 100 OFFSET 0> 
 </pre> 

 It's not obvious that this is exploitable, but the fact that we're generating an invalid SQL statement without catching the error earlier is very concerning.

Back

Project

General

Profile

Arvados

Bug #5738