Insufficent validation of boolean filters #11539
Description
NetBox version
v3.4.2
Python version
3.8
Steps to Reproduce
curl -vsS -H "Authorization: Token $TOKEN" "$NETBOX/api/dcim/devices/?name__empty=asdf"
Expected Behavior
The request to be rejected with a 4xx status code (probably 400)
Observed Behavior
An exception was raised, returned with a 500 status code and E-mailed to admins.
Internal Server Error: /api/dcim/devices/
DataError at /api/dcim/devices/
invalid input syntax for type boolean: "asdf"
LINE 1: ... CAST(LENGTH("dcim_device"."name") AS BOOLEAN) != 'asdf') su...
^
...
Traceback (most recent call last):
File "/opt/netbox/venv/lib/python3.8/site-packages/django/db/backends/utils.py", line 89, in _execute
return self.cursor.execute(sql, params)
File "/opt/netbox/venv/lib/python3.8/site-packages/django_prometheus/db/common.py", line 71, in execute
return super().execute(*args, **kwargs)
The above exception (invalid input syntax for type boolean: "asdf"
LINE 1: ... CAST(LENGTH("dcim_device"."name") AS BOOLEAN) != 'asdf') su...
^
) was the direct cause of the following exception:
File "/opt/netbox/venv/lib/python3.8/site-packages/django/core/handlers/exception.py", line 55, in inner
response = get_response(request)
File "/opt/netbox/venv/lib/python3.8/site-packages/django/core/handlers/base.py", line 197, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/opt/netbox/venv/lib/python3.8/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
return view_func(*args, **kwargs)
File "/opt/netbox/venv/lib/python3.8/site-packages/rest_framework/viewsets.py", line 125, in view
return self.dispatch(request, *args, **kwargs)
File "/opt/netbox/netbox/netbox/api/viewsets/__init__.py", line 118, in dispatch
return super().dispatch(request, *args, **kwargs)
File "/opt/netbox/venv/lib/python3.8/site-packages/rest_framework/views.py", line 509, in dispatch
response = self.handle_exception(exc)
File "/opt/netbox/venv/lib/python3.8/site-packages/rest_framework/views.py", line 469, in handle_exception
self.raise_uncaught_exception(exc)
File "/opt/netbox/venv/lib/python3.8/site-packages/rest_framework/views.py", line 480, in raise_uncaught_exception
raise exc
File "/opt/netbox/venv/lib/python3.8/site-packages/rest_framework/views.py", line 506, in dispatch
response = handler(request, *args, **kwargs)
File "/opt/netbox/netbox/netbox/api/viewsets/__init__.py", line 149, in list
return super().list(request, *args, **kwargs)
File "/opt/netbox/venv/lib/python3.8/site-packages/rest_framework/mixins.py", line 40, in list
page = self.paginate_queryset(queryset)
File "/opt/netbox/venv/lib/python3.8/site-packages/rest_framework/generics.py", line 171, in paginate_queryset
return self.paginator.paginate_queryset(queryset, self.request, view=self)
File "/opt/netbox/netbox/netbox/api/pagination.py", line 19, in paginate_queryset
self.count = self.get_queryset_count(queryset)
File "/opt/netbox/netbox/netbox/api/pagination.py", line 85, in get_queryset_count
return cloned_queryset.count()
File "/opt/netbox/venv/lib/python3.8/site-packages/django/db/models/query.py", line 621, in count
return self.query.get_count(using=self.db)
File "/opt/netbox/venv/lib/python3.8/site-packages/django/db/models/sql/query.py", line 559, in get_count
return obj.get_aggregation(using, ["__count"])["__count"]
File "/opt/netbox/venv/lib/python3.8/site-packages/django/db/models/sql/query.py", line 544, in get_aggregation
result = compiler.execute_sql(SINGLE)
File "/opt/netbox/venv/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1398, in execute_sql
cursor.execute(sql, params)
File "/opt/netbox/venv/lib/python3.8/site-packages/django/db/backends/utils.py", line 67, in execute
return self._execute_with_wrappers(
File "/opt/netbox/venv/lib/python3.8/site-packages/django/db/backends/utils.py", line 80, in _execute_with_wrappers
return executor(sql, params, many, context)
File "/opt/netbox/venv/lib/python3.8/site-packages/django/db/backends/utils.py", line 89, in _execute
return self.cursor.execute(sql, params)
File "/opt/netbox/venv/lib/python3.8/site-packages/django/db/utils.py", line 91, in __exit__
raise dj_exc_value.with_traceback(traceback) from exc_value
File "/opt/netbox/venv/lib/python3.8/site-packages/django/db/backends/utils.py", line 89, in _execute
return self.cursor.execute(sql, params)
File "/opt/netbox/venv/lib/python3.8/site-packages/django_prometheus/db/common.py", line 71, in execute
return super().execute(*args, **kwargs)
Exception Type: DataError at /api/dcim/devices/
Exception Value: invalid input syntax for type boolean: "asdf"
LINE 1: ... CAST(LENGTH("dcim_device"."name") AS BOOLEAN) != 'asdf') su...
^
Raised during: dcim.api.views.DeviceViewSet