Avoid errors in the logs when invalid job IDs are passed

* Validate job IDs passed to job list API route * See https://progress.opensuse.org/issues/132545
os-autoinst · Jul 11, 2023 · 9c29c6d · 9c29c6d
1 parent 4aa69aa
commit 9c29c6d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/lib/OpenQA/WebAPI/Controller/API/V1/Job.pm b/lib/OpenQA/WebAPI/Controller/API/V1/Job.pm
@@ -15,6 +15,7 @@ use OpenQA::Events;
 use OpenQA::Scheduler::Client;
 use OpenQA::Log qw(log_error log_info);
 use List::Util qw(min);
+use Scalar::Util qw(looks_like_number);
 use Try::Tiny;
 use DBIx::Class::Timestamps 'now';
 use Mojo::Asset::Memory;
@@ -109,9 +110,14 @@ sub list ($self) {
     # we could let query_jobs do the string splitting for us, but this is
     # clearer.
     for my $arg (qw(state ids result)) {
-        next unless defined $self->param($arg);
-        $args{$arg}
-          = index($self->param($arg), ',') != -1 ? [split(',', $self->param($arg))] : $self->every_param($arg);
+        next unless defined(my $value = $self->param($arg));
+        my $values = $args{$arg} = index($value, ',') != -1 ? [split(',', $value)] : $self->every_param($arg);
+        if ($arg eq 'ids') {
+            for my $id (@$values) {
+                return $self->render(json => {error => 'ids must be integers'}, status => 400)
+                  unless looks_like_number $id;
+            }
+        }
     }
 
     my $latest = $validation->param('latest');

diff --git a/t/api/04-jobs.t b/t/api/04-jobs.t
@@ -212,6 +212,8 @@ subtest 'multiple ids' => sub {
     is(scalar(@{$t->tx->res->json->{jobs}}), 3);
     $t->get_ok('/api/v1/jobs?ids=99981&ids=99963&ids=99926');
     is(scalar(@{$t->tx->res->json->{jobs}}), 3);
+    $t->get_ok('/api/v1/jobs?ids=99981&ids=99963&ids=99926foo')->status_is(400);
+    $t->json_is('/error', 'ids must be integers', 'validation error for IDs');
 };
 
 subtest 'job overview' => sub {