ZugNZwang opened a new issue #4525: servers endpoint lacks several validation checks URL: https://github.com/apache/trafficcontrol/issues/4525 <!-- ************ STOP!! ************ If this issue identifies a security vulnerability, DO NOT submit it! Instead, contact the Apache Software Foundation Security Team at [email protected] and follow the guidelines at https://www.apache.org/security/ regarding vulnerability disclosure. --> <!-- - For *SUPPORT QUESTIONS*, use the [Traffic Control slack channels](https://traffic-control-cdn.slack.com) or [Traffic Control mailing lists](http://trafficcontrol.apache.org/mailing_lists/). - Before submitting, please **SEARCH GITHUB** for a similar issue or PR. --> ## I'm submitting a ... <!-- (check all that apply with "[x]") --> <!--- security vulnerability (STOP!! - see above)--> - [X] bug report - [ ] new feature / enhancement request - [X] improvement request (usability, performance, tech debt, etc.) - [ ] other <!--(Please do not submit support requests here - see above)--> ## Traffic Control components affected ... <!-- (check all that apply with "[x]") --> - [ ] CDN in a Box - [ ] Documentation - [ ] Grove - [ ] Traffic Control Client - [ ] Traffic Monitor - [X] Traffic Ops - [ ] Traffic Ops ORT - [X] Traffic Portal - [ ] Traffic Router - [ ] Traffic Stats - [ ] Traffic Vault - [ ] unknown ## Current behavior: <!-- Describe how the bug manifests / how the current features are insufficient. --> When making a `POST` request to `/servers` with any of the following keys in the body: `ipGateway`, `ip6Gateway`, `ipNetmask`, `iloIpAddress`, `iloIpGateway`, `iloIpNetmask`, `mgmtIpAddress`, `mgmtIpGateway`, `mgmtIpNetmask` There are no checks performed to validate that they are valid IP Addresses. Traffic Portal also doesn't perform any checks on any of these fields in the server page, However it doesn't allow for an invalid IP Netmask, while TO does. Traffic portal also doesn't allow a Router Hostname to have spaces, but TO doesn't perform this check and a Router Hostname with spaces is allowed. ## Expected / new behavior: <!-- Describe what the behavior would be without the bug / how the feature would improve Traffic Control --> Traffic Ops should not allow a server to be created with invalid Ip addresses and not allow a routerHostName with spaces these should return: ```http HTTP/1.1 400 Bad Request Content-Type: application/json { "alerts": [ { "text": "<key> must be a valid IPv4 address", "level": "error" } ] } ``` OR ```http HTTP/1.1 400 Bad Request Content-Type: application/json { "alerts": [ { "text": "<key> must be a valid IPv6 address", "level": "error" } ] } ``` OR ```http HTTP/1.1 400 Bad Request Content-Type: application/json { "alerts": [ { "text": "'routerHostName' cannot contain spaces", "level": "error" } ] } ``` Traffic Portal should display a red outline around the text box with the word "Invalid" underneath. See screenshot below.  ## Minimal reproduction of the problem with instructions: <!-- If the current behavior is a bug or you can illustrate your feature request better with an example, please provide the *STEPS TO REPRODUCE* and include the applicable TC version. --> ## Anything else: <!-- e.g. stacktraces, related issues, suggestions how to fix --> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -->
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
