From 2c7ec27ad94a5a369c7d8a45dcef66a18479900b Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <frenaud@redhat.com>
Date: Fri, 27 May 2016 08:19:39 +0200
Subject: [PATCH] batch command can be used to trigger internal errors on
 server

In ipalib, the batch command expects a specific format for arguments.
The code did not check the format of the parameters, which could trigger
internal errors on the server.
With this fix:
- a ConversionError is raised if the arg passed to batch() is not a list of
dict
- the result appended to the batch results is a ConversionError if the
'params' does not contain a tuple(list,dict)

https://fedorahosted.org/freeipa/ticket/5810

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 ipaserver/plugins/batch.py | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/batch.py b/ipaserver/plugins/batch.py
index 84a650575..aebdc2f72 100644
--- a/ipaserver/plugins/batch.py
+++ b/ipaserver/plugins/batch.py
@@ -90,6 +90,12 @@ class batch(Command):
     def execute(self, methods=None, **options):
         results = []
         for arg in (methods or []):
+            # As take_args = Any, no check is done before
+            # Need to make sure that methods contain dict objects
+            if not isinstance(arg, dict):
+                raise errors.ConversionError(
+                    name='methods',
+                    error=_(u'must contain dict objects'))
             params = dict()
             name = None
             try:
@@ -100,9 +106,21 @@ class batch(Command):
                 name = arg['method']
                 if name not in self.Command:
                     raise errors.CommandError(name=name)
-                a, kw = arg['params']
-                newkw = dict((str(k), v) for k, v in kw.items())
-                params = api.Command[name].args_options_2_params(*a, **newkw)
+
+                # If params are not formated as a tuple(list, dict)
+                # the following lines will raise an exception
+                # that triggers an internal server error
+                # Raise a ConversionError instead to report the issue
+                # to the client
+                try:
+                    a, kw = arg['params']
+                    newkw = dict((str(k), v) for k, v in kw.items())
+                    params = api.Command[name].args_options_2_params(
+                        *a, **newkw)
+                except (AttributeError, ValueError, TypeError):
+                    raise errors.ConversionError(
+                        name='params',
+                        error=_(u'must contain a tuple (list, dict)'))
                 newkw.setdefault('version', options['version'])
 
                 result = api.Command[name](*a, **newkw)