#46870 – Не работает форма для отправки GET запроса /vuln/cve/packages на сайте

Bug 46870 - Не работает форма для отправки GET запроса /vuln/cve/packages на сайте

Summary: Не работает форма для отправки GET запроса /vuln/cve/packages на сайте

Status:	CLOSED FIXED

Alias:	None

Product:	Infrastructure
Classification:	Infrastructure
Component:	rdb.altlinux.org (show other bugs)
Version:	unspecified
Hardware:	all Linux

Importance:	P5 normal
Assignee:	Danil Shein
QA Contact:	Andrey Cherepanov

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-07-12 00:49 MSK by DVoropaev
Modified:	2023-07-12 11:32 MSK (History)
CC List:	0 users

See Also:

Attachments
скрин (39.50 KB, image/png) 2023-07-12 00:49 MSK, DVoropaev	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description DVoropaev 2023-07-12 00:49:20 MSK

Created attachment 13790 [details]
скрин

Вместо идентификатора CVE форма ожидает идентификатор BDU:
1) Перехожу на https://rdb.altlinux.org/api/
2) Открываю форму для отправки запроса /vuln/cve/packages
3) Ввожу следующие значения в поля:
   CVE id: CVE-2023-33201
   branch: p10
4) Получаю следующее (см скрин):
>Please correct the following validation errors and try again.
>Value must follow pattern ^(BDU:\d{4}-\d{5},?)+$

Если вместо CVE указать любой BDU, то запрос пройдет, но сервер вернет ошибку "CVE id Invalid input". То есть сервер все таки ожидает CVE.

Если отправить запрос curl'ом, указав CVE, то ошибок не возникает:
>$ curl -X 'GET' \
>>   'https://rdb.altlinux.org/api/vuln/cve/packages?vuln_id=CVE-2022-1227&branch=p10' \
>>   -H 'accept: application/json'
>{"request_args": {"vuln_id": ["CVE-2022-1227"], "branch": "p10"}, "result": [], "vuln_info": [{"id": "CVE-2022-1227", "summary": "A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1227", "severity": "HIGH", "score": 8.800000190734863, "published": "2022-04-29T19:15:00", "modified": "2022-07-23T13:04:00", "refs": ["https://bugzilla.redhat.com/show_bug.cgi?id=2070368", "https://github.com/containers/podman/issues/10941", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/"], "json": null}], "packages": [{"branch": "p10", "hash": "2924084617307324530", "name": "podman", "version": "4.4.4", "release": "alt1", "vuln_id": "CVE-2022-1227", "vulnerable": false, "fixed": false, "cpe_matches": [], "fixed_in": []}, {"branch": "p10", "hash": "2924084617307324530", "name": "podman", "version": "4.4.4", "release": "alt1", "vuln_id": "CVE-2022-1227", "vulnerable": false, "fixed": true, "cpe_matches": [], "fixed_in": [{"id": "ALT-PU-2023-1476-1", "branch": "p10", "task_id": 315926, "subtask_id": 700, "task_state": "DONE", "hash": "2909862117654465764", "name": "podman", "version": "4.4.2", "release": "alt1", "vulns": ["CVE-2022-1227", "CVE-2022-27191", "CVE-2022-27649", "CVE-2023-0778"]}]}]}

Comment 1 Danil Shein 2023-07-12 11:32:26 MSK

Ошибка валидации ввода для данного запроса исправлена в версии 1.14.0+.

Обновление уже развёрнуто на https://rdb.altlinux.org/api/.