Bug 46870

Summary:

Не работает форма для отправки GET запроса /vuln/cve/packages на сайте

Product:

Infrastructure

Reporter:

DVoropaev <voropaevdmtr>

Component:

rdb.altlinux.org

Assignee:

Danil Shein <dshein>

Status:

CLOSED FIXED

QA Contact:

Andrey Cherepanov <cas>

Severity:

normal

Priority:

Version:

unspecified

Hardware:

all

OS:

Linux

Attachments:

Description	Flags
скрин	none

Description DVoropaev 2023-07-12 00:49:20 MSK

Created attachment 13790 [details]
скрин

Вместо идентификатора CVE форма ожидает идентификатор BDU:
1) Перехожу на https://rdb.altlinux.org/api/
2) Открываю форму для отправки запроса /vuln/cve/packages
3) Ввожу следующие значения в поля:
   CVE id: CVE-2023-33201
   branch: p10
4) Получаю следующее (см скрин):
>Please correct the following validation errors and try again.
>Value must follow pattern ^(BDU:\d{4}-\d{5},?)+$

Если вместо CVE указать любой BDU, то запрос пройдет, но сервер вернет ошибку "CVE id Invalid input". То есть сервер все таки ожидает CVE.

Если отправить запрос curl'ом, указав CVE, то ошибок не возникает:
>$ curl -X 'GET' \
>>   'https://rdb.altlinux.org/api/vuln/cve/packages?vuln_id=CVE-2022-1227&branch=p10' \
>>   -H 'accept: application/json'
>{"request_args": {"vuln_id": ["CVE-2022-1227"], "branch": "p10"}, "result": [], "vuln_info": [{"id": "CVE-2022-1227", "summary": "A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1227", "severity": "HIGH", "score": 8.800000190734863, "published": "2022-04-29T19:15:00", "modified": "2022-07-23T13:04:00", "refs": ["https://bugzilla.redhat.com/show_bug.cgi?id=2070368", "https://github.com/containers/podman/issues/10941", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/"], "json": null}], "packages": [{"branch": "p10", "hash": "2924084617307324530", "name": "podman", "version": "4.4.4", "release": "alt1", "vuln_id": "CVE-2022-1227", "vulnerable": false, "fixed": false, "cpe_matches": [], "fixed_in": []}, {"branch": "p10", "hash": "2924084617307324530", "name": "podman", "version": "4.4.4", "release": "alt1", "vuln_id": "CVE-2022-1227", "vulnerable": false, "fixed": true, "cpe_matches": [], "fixed_in": [{"id": "ALT-PU-2023-1476-1", "branch": "p10", "task_id": 315926, "subtask_id": 700, "task_state": "DONE", "hash": "2909862117654465764", "name": "podman", "version": "4.4.2", "release": "alt1", "vulns": ["CVE-2022-1227", "CVE-2022-27191", "CVE-2022-27649", "CVE-2023-0778"]}]}]}

Comment 1 Danil Shein 2023-07-12 11:32:26 MSK

Ошибка валидации ввода для данного запроса исправлена в версии 1.14.0+.

Обновление уже развёрнуто на https://rdb.altlinux.org/api/.