mooli tayer has uploaded a new change for review. Change subject: rest-api: validation of max parameter in restapi ......................................................................
rest-api: validation of max parameter in restapi Api should return proper error if: max parameter is not a number OR it is smaller then -1(=no limit) and not attempt an sql query with such faulty parameters. Change-Id: Iae3397dba4dffbff2ecf7d7601861540b52aa9bb Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=888469 Signed-off-by: Mooli Tayer <[email protected]> --- M backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/AbstractBackendCollectionResource.java M backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendResource.java M backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BaseBackendResource.java 3 files changed, 26 insertions(+), 6 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/43/18043/1 diff --git a/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/AbstractBackendCollectionResource.java b/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/AbstractBackendCollectionResource.java index ff01eec..cc27ef4 100644 --- a/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/AbstractBackendCollectionResource.java +++ b/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/AbstractBackendCollectionResource.java @@ -88,8 +88,12 @@ } } - if (QueryHelper.hasMatrixParam(getUriInfo(), MAX) && getMaxResults()!=NO_LIMIT) { - searchParams.setMaxCount(getMaxResults()); + try { + if (QueryHelper.hasMatrixParam(getUriInfo(), MAX) && getMaxResults() != NO_LIMIT) { + searchParams.setMaxCount(getMaxResults()); + } + } catch (MalformedNumberException mne){ + handleError(mne, false); } return searchParams; } diff --git a/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendResource.java b/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendResource.java index 0c11c4a..31e9b41 100644 --- a/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendResource.java +++ b/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BackendResource.java @@ -126,21 +126,31 @@ } } - protected int getMaxResults() { + protected int getMaxResults() throws MalformedNumberException{ if (getUriInfo()!=null && QueryHelper.hasMatrixParam(getUriInfo(), MAX)) { HashMap<String,String> matrixConstraints = QueryHelper.getMatrixConstraints(getUriInfo(), MAX); String maxString = matrixConstraints.get(MAX); try { - return Integer.valueOf(maxString); + Integer max = Integer.valueOf(maxString); + // fail if max is lt -1 + if (max.compareTo(-1) == -1){ + return failMaxResults(maxString); + } + return max; } catch (NumberFormatException e) { - LOG.error("Max number of results is not a valid number: '" + maxString + "'. Resorting to default behavior - no limit on number of query results."); - return NO_LIMIT; + return failMaxResults(maxString); } } else { return NO_LIMIT; } } + private int failMaxResults(String maxString) throws MalformedNumberException { + String errorMessage = "Max number of results is not a valid number: " + maxString; + LOG.error(errorMessage); + throw new MalformedNumberException(errorMessage, Response.Status.BAD_REQUEST); + } + protected Response performAction(VdcActionType task, VdcActionParametersBase params, Action action) { return performAction(task, params, action, false); } diff --git a/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BaseBackendResource.java b/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BaseBackendResource.java index d78599f..f29e08b 100644 --- a/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BaseBackendResource.java +++ b/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/BaseBackendResource.java @@ -162,6 +162,12 @@ } } + protected class MalformedNumberException extends BackendFailureException { + public MalformedNumberException(String msg, Status status ) { + super(msg, status); + } + } + public class WebFaultException extends WebApplicationException { private static final long serialVersionUID = 394735369823915802L; -- To view, visit http://gerrit.ovirt.org/18043 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iae3397dba4dffbff2ecf7d7601861540b52aa9bb Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: mooli tayer <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
