server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon gotify

Using large integers can lead to database corruption

Open d-k-bo opened this issue 3 years ago • 5 comments

Can the issue be reproduced with the latest available release? (y/n)

Which one is the environment gotify server is running in?

  • [ ] Docker
  • [X] Linux machine
  • [ ] Windows machine
Docker startup command or config file here (please mask sensitive information)
export GOTIFY_SERVER_PORT=30080
./gotify-linux-amd64

Do you have an reverse proxy installed in front of gotify server? (Please select None if the problem can be reproduced without the presense of a reverse proxy)

  • [X] None
  • [ ] Nginx
  • [ ] Apache
  • [ ] Caddy
Reverse proxy configuration (please mask sensitive information)

On which client do you experience problems? (Select as many as you can see)

  • [ ] WebUI
  • [ ] gotify-cli
  • [ ] Android Client
  • [X] 3rd-party API call (python w/ requests)

import requests

r = requests.post(
    "http://localhost:30080/application?token=Cxxx",
    json={"name": "TestApplication", "id": 9223372036854775808},
)

print(r.json())

r = requests.get("http://localhost:30080/application?token=Cxxx")

print(r.json())

What did you do?

I created an application with id 9223372036854775808 and tried to get the list of all applications.

What did you expect to see?

An error while creating the application because the value is too large or an error because of specifying the 'id' field (which is read-only according to the swagger configuration).

What did you see instead? (Include screenshots, android logcat/request dumps if possible)

The applications couldn't be listed anymore because the id overflowed and was stored as a negative value in the database.

{'id': 9223372036854775808, 'token': 'A_pITbCDbj.7S1Y', 'name': 'TestApplication', 'description': '', 'internal': False, 'image': 'static/defaultapp.png'}
{'error': 'Internal Server Error', 'errorCode': 500, 'errorDescription': 'sql: Scan error on column index 0, name "id": converting driver.Value type int64 ("-9223372036854775808") to a uint: invalid syntax'}

I think it should also be clear if fields like 'id', 'image' etc. can be used by the client or not. If they are supported, they should be specified in the API documentation, otherwise you should get a 400 Bad Request response when using them.

d-k-bo avatar Jan 13 '22 16:01 d-k-bo

It shouldn't be allowed to set the ID via the api. I'm open to accept PRs that fix this by changing the api handlers similar to this: https://github.com/gotify/server/pull/332

jmattheis avatar Jan 13 '22 16:01 jmattheis

I'm sorry I can't help with this because I don't know Go.

It shouldn't be allowed to set the ID via the api.

So can I assume that this applies to all fields that are marked as "readOnly": true? Setting 'image' could be useful to reuse existing images, even though I don't see a real benefit from it.

d-k-bo avatar Jan 13 '22 18:01 d-k-bo

So can I assume that this applies to all fields that are marked as readonly.

yes

Setting 'image' could be useful to reuse existing images, even though I don't see a real benefit from it.

Images need to be uploaded to gotify otherwise most of the resolving clientside won't work.

jmattheis avatar Jan 13 '22 18:01 jmattheis

@jmattheis can I take this one?

mateuscelio avatar Jul 19 '22 02:07 mateuscelio

@mateuscelio yes.

jmattheis avatar Jul 19 '22 06:07 jmattheis

@jmattheis I think this issue can be closed...

mateuscelio avatar Dec 02 '22 12:12 mateuscelio

I think the bug still exists for the client endpoints.

jmattheis avatar Dec 02 '22 12:12 jmattheis

I think the bug still exists for the client endpoints.

Yeah, that's true. I can address this like I did with https://github.com/gotify/server/pull/498, what do you think?

mateuscelio avatar Dec 02 '22 16:12 mateuscelio

Yes, sounds good

jmattheis avatar Dec 02 '22 18:12 jmattheis