VulnerabilityCreate mutation returns 500 error when identifiers is empty
Summary
The CreateVulnerability
GraphQL mutation returns an internal server error when given an empty list of identifiers.
Steps to reproduce
-
Fill in the query textarea with this query:
mutation vulnerabilityCreate($input: VulnerabilityCreateInput!) { vulnerabilityCreate(input: $input) { errors vulnerability { id vulnerabilityPath } } }
-
Expand the
Query Variables
textarea and fill it in with these variables:{ "input": { "clientMutationId": "1", "project": "gid://gitlab/Project/<your-project-id>", "name": "test vulnerability", "description": "This is a vulnerability", "scanner": { "id": "gitlab-manual-vulnerability-report", "name": "manually-created-vulnerability", "url": "https://gitlab.com", "version": "1.0", "vendor": { "name": "GitLab" } }, "identifiers": [] } }
-
Press the
▶ button -
Receive "Internal server error"
What is the current bug behavior?
Internal server error is received
What is the expected correct behavior?
Input should be handled gracefully and a validation error should be returned (identifiers must contain at least one item)
Relevant logs and/or screenshots
Message: undefined method 'fingerprint' for nil:NilClass
Backtrace:
ee/app/services/vulnerabilities/create_service_base.rb:107:in `initialize_finding'
ee/app/services/vulnerabilities/manually_create_service.rb:28:in `execute'
ee/app/graphql/mutations/vulnerabilities/create.rb:86:in `resolve'
lib/gitlab/graphql/present/field_extension.rb:18:in `resolve'
lib/gitlab/graphql/tracers/timer_tracer.rb:20:in `trace'
lib/gitlab/graphql/generic_tracing.rb:48:in `with_labkit_tracing'
lib/gitlab/graphql/generic_tracing.rb:38:in `platform_trace'
lib/gitlab/graphql/tracers/logger_tracer.rb:14:in `trace'
lib/gitlab/graphql/tracers/metrics_tracer.rb:13:in `trace'
lib/gitlab/graphql/tracers/application_context_tracer.rb:23:in `trace'
lib/gitlab/graphql/tracers/timer_tracer.rb:20:in `trace'
lib/gitlab/graphql/generic_tracing.rb:48:in `with_labkit_tracing'
lib/gitlab/graphql/generic_tracing.rb:38:in `platform_trace'
lib/gitlab/graphql/tracers/logger_tracer.rb:14:in `trace'
lib/gitlab/graphql/tracers/metrics_tracer.rb:13:in `trace'
lib/gitlab/graphql/tracers/application_context_tracer.rb:20:in `block in trace'
lib/gitlab/application_context.rb:110:in `block in use'
lib/gitlab/application_context.rb:110:in `use'
lib/gitlab/application_context.rb:52:in `with_context'
lib/gitlab/graphql/tracers/application_context_tracer.rb:19:in `trace'
lib/gitlab/graphql/tracers/timer_tracer.rb:20:in `trace'
lib/gitlab/graphql/generic_tracing.rb:48:in `with_labkit_tracing'
lib/gitlab/graphql/generic_tracing.rb:38:in `platform_trace'
lib/gitlab/graphql/tracers/logger_tracer.rb:14:in `trace'
lib/gitlab/graphql/tracers/metrics_tracer.rb:13:in `trace'
lib/gitlab/graphql/tracers/application_context_tracer.rb:23:in `trace'
app/graphql/gitlab_schema.rb:51:in `multiplex'
app/controllers/graphql_controller.rb:167:in `execute_query'
app/controllers/graphql_controller.rb:57:in `execute'
ee/lib/gitlab/ip_address_state.rb:10:in `with'
ee/app/controllers/ee/application_controller.rb:45:in `set_current_ip_address'
app/controllers/application_controller.rb:531:in `set_current_admin'
lib/gitlab/session.rb:11:in `with_session'
app/controllers/application_controller.rb:522:in `set_session_storage'
lib/gitlab/i18n.rb:107:in `with_locale'
lib/gitlab/i18n.rb:113:in `with_user_locale'
app/controllers/application_controller.rb:516:in `set_locale'
app/controllers/application_controller.rb:510:in `set_current_context'
ee/lib/omni_auth/strategies/group_saml.rb:41:in `other_phase'
lib/gitlab/metrics/elasticsearch_rack_middleware.rb:16:in `call'
lib/gitlab/middleware/memory_report.rb:13:in `call'
lib/gitlab/middleware/speedscope.rb:13:in `call'
lib/gitlab/database/load_balancing/rack_middleware.rb:23:in `call'
lib/gitlab/middleware/rails_queue_duration.rb:33:in `call'
lib/gitlab/metrics/rack_middleware.rb:16:in `block in call'
lib/gitlab/metrics/web_transaction.rb:46:in `run'
lib/gitlab/metrics/rack_middleware.rb:16:in `call'
lib/gitlab/jira/middleware.rb:19:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:21:in `call'
lib/gitlab/middleware/query_analyzer.rb:11:in `block in call'
lib/gitlab/database/query_analyzer.rb:37:in `within'
lib/gitlab/middleware/query_analyzer.rb:11:in `call'
lib/gitlab/middleware/multipart.rb:173:in `call'
lib/gitlab/middleware/read_only/controller.rb:50:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/same_site_cookies.rb:27:in `call'
lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'
lib/gitlab/middleware/request_context.rb:21:in `call'
lib/gitlab/middleware/webhook_recursion_detection.rb:15:in `call'
config/initializers/fix_local_cache_middleware.rb:11:in `call'
lib/gitlab/middleware/compressed_json.rb:26:in `call'
lib/gitlab/middleware/rack_multipart_tempfile_factory.rb:19:in `call'
lib/gitlab/middleware/sidekiq_web_static.rb:20:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:77:in `call'
lib/gitlab/middleware/release_env.rb:13:in `call'
Possible fixes
Validate that identifiers have at least one item before calling ManualVulnerabilityCreateService
.
Edited by Brian Williams