batch command can be used to trigger internal errors on server

In ipalib, the batch command expects a specific format for arguments. The code did not check the format of the parameters, which could trigger internal errors on the server. With this fix: - a ConversionError is raised if the arg passed to batch() is not a list of dict - the result appended to the batch results is a ConversionError if the 'params' does not contain a tuple(list,dict) https://fedorahosted.org/freeipa/ticket/5810 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-05-27 08:19:39 +02:00 · 2016-05-27 08:19:39 +02:00 · 2c7ec27ad9
commit 2c7ec27ad9
parent 9f48c39649
1 changed files with 21 additions and 3 deletions
--- a/ipaserver/plugins/batch.py
+++ b/ipaserver/plugins/batch.py
@ -90,6 +90,12 @@ class batch(Command):
    def execute(self, methods=None, **options):
        results = []
        for arg in (methods or []):
+            # As take_args = Any, no check is done before
+            # Need to make sure that methods contain dict objects
+            if not isinstance(arg, dict):
+                raise errors.ConversionError(
+                    name='methods',
+                    error=_(u'must contain dict objects'))
            params = dict()
            name = None
            try:
@ -100,9 +106,21 @@ class batch(Command):
                name = arg['method']
                if name not in self.Command:
                    raise errors.CommandError(name=name)
-                a, kw = arg['params']
-                newkw = dict((str(k), v) for k, v in kw.items())
-                params = api.Command[name].args_options_2_params(*a, **newkw)
+
+                # If params are not formated as a tuple(list, dict)
+                # the following lines will raise an exception
+                # that triggers an internal server error
+                # Raise a ConversionError instead to report the issue
+                # to the client
+                try:
+                    a, kw = arg['params']
+                    newkw = dict((str(k), v) for k, v in kw.items())
+                    params = api.Command[name].args_options_2_params(
+                        *a, **newkw)
+                except (AttributeError, ValueError, TypeError):
+                    raise errors.ConversionError(
+                        name='params',
+                        error=_(u'must contain a tuple (list, dict)'))
                newkw.setdefault('version', options['version'])

                result = api.Command[name](*a, **newkw)