Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-8441

Lack of validation for Backend's "System Name" field might lead to a 500 Internal Error in Admin Portal

XMLWordPrintable

    • False
    • None
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Hide

      Avoid differentiate Backend's System Names by case sensitivity will allow customers to keep creating Backends normally.

      Show
      Avoid differentiate Backend's System Names by case sensitivity will allow customers to keep creating Backends normally.
    • Hide
      1. In Admin Portal, try to create a Backend with a System Name which has been taken already by another Backend. Notice that a "System name has already been taken" message appears on the screen [1]
      2. At the same window, change the case of any letter of System Name's field. (eg. change the first letter from uppercase to lowercase or vice versa). Notice that a 500 (Internal Server Error) occurs [2]
      3. If we look at Kibana's logs for the issue, we can realize there has been a RecordNotUnique error from database has ocurred.
      4. At the Account Management API, go to Backend Create request. Fulfill the System Name parameter with the same name from step 2. Notice that a 409 (Conflict) error occurs. 

      [1] - step1.png

      [2] - step2.png and step3.png

       

      Show
      In Admin Portal, try to create a Backend with a System Name which has been taken already by another Backend. Notice that a "System name has already been taken" message appears on the screen [1] At the same window, change the case of any letter of System Name's field. (eg. change the first letter from uppercase to lowercase or vice versa). Notice that a 500 (Internal Server Error) occurs [2] If we look at Kibana's logs for the issue, we can realize there has been a RecordNotUnique error from database has ocurred. At the Account Management API, go to Backend Create request. Fulfill the System Name parameter with the same name from step 2. Notice that a 409 (Conflict) error occurs.  [1] - step1.png [2] - step2.png and step3.png  

      Admin Portal validation for Backend's System Names field is case sensitive. However, the database is not.
      This configuration allows Admin Portal to send Create Backends requests with System Names that already exists (from database perspective), distinguished only by their case structure.
      When doing so, the Database generates a RecordNotUnique error, which leads to a 500 response (Internal Server Error).
      When the same request for creating a Backend is made through the Account Management API, the error returned is a 409 (Conflict), which is actually a clearer response than a
      generic error as 500 (Internal Server).

      Bugsnag issue is THREESCALE-5046.

        1. image-2022-06-08-17-51-30-222.png
          42 kB
          Nidhi Soni
        2. step1.png
          28 kB
          Raphael Magno Moreira Morsch
        3. step2.png
          26 kB
          Raphael Magno Moreira Morsch
        4. step3.png
          19 kB
          Raphael Magno Moreira Morsch

              ramoreir@redhat.com Raphael Magno Moreira Morsch
              ramoreir@redhat.com Raphael Magno Moreira Morsch
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: