public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH RFC common] fix #4778: fix boolean type check for json parameters over the api
@ 2023-06-15  9:32 Dominik Csapak
  2023-06-15  9:51 ` Wolfgang Bumiller
  0 siblings, 1 reply; 5+ messages in thread
From: Dominik Csapak @ 2023-06-15  9:32 UTC (permalink / raw)
  To: pve-devel

if a real json boolean is sent via the api, $value is a
JSON::PP::Boolean here instead of a string/scalar

so we should validate that too

the $value itself can be used normally in conditions like
----
if ($value) {
----

This worked for most api calls by accident before commit:
f398a3d ("proxy request: forward json content type and parameters")

since when the call was proxied to pvedaemon or another node, it would
get translated to a www-form-urlencoded parameter instead of json
and most (if not all) api calls that accept boolean parameters in the
body (POST/PUT) are forwarded to pvedaemon

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
i tested this with a few api calls (e.g. in the user creation/edit)
and it worked, but maybe the safer option would be to convert those
values to '1'/'0' ? we could reuse the 'normalize_legacy_param_formats'
function in RESTHandler for this, but this only checks the top level
parameters (which would be enough for now)

 src/PVE/JSONSchema.pm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/PVE/JSONSchema.pm b/src/PVE/JSONSchema.pm
index 85d47f2..ebe443f 100644
--- a/src/PVE/JSONSchema.pm
+++ b/src/PVE/JSONSchema.pm
@@ -10,6 +10,7 @@ use Devel::Cycle -quiet; # todo: remove?
 use PVE::Tools qw(split_list $IPV6RE $IPV4RE);
 use PVE::Exception qw(raise);
 use HTTP::Status qw(:constants);
+use JSON;
 use Net::IP qw(:PROC);
 use Data::Dumper;
 
@@ -1039,7 +1040,9 @@ sub check_type {
 	    # qr// regexes can be used as strings and make sense for format=regex
 	    return 1;
 	} else {
-	    if ($vt) {
+	    if ($type eq 'boolean' && JSON::is_bool($value)) {
+		return 1;
+	    } elsif ($vt) {
 		add_error($errors, $path, "type check ('$type') failed - got $vt");
 		return undef;
 	    } else {
-- 
2.30.2





^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-06-15 12:43 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-15  9:32 [pve-devel] [PATCH RFC common] fix #4778: fix boolean type check for json parameters over the api Dominik Csapak
2023-06-15  9:51 ` Wolfgang Bumiller
2023-06-15 11:12   ` Dominik Csapak
2023-06-15 12:28     ` Thomas Lamprecht
2023-06-15 12:43       ` Wolfgang Bumiller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal