Skip to content

VulnerabilityCreate mutation returns 500 error when identifiers is empty

Summary

The CreateVulnerability GraphQL mutation returns an internal server error when given an empty list of identifiers.

Steps to reproduce

  1. Go to https://gitlab.com/-/graphql-explorer

  2. Fill in the query textarea with this query:

    mutation vulnerabilityCreate($input: VulnerabilityCreateInput!) {
  vulnerabilityCreate(input: $input) {
    errors
    vulnerability {
      id
      vulnerabilityPath
    }
  }
}

  3. Expand the Query Variables textarea and fill it in with these variables:

    {
  "input": {
    "clientMutationId": "1",
    "project": "gid://gitlab/Project/<your-project-id>",
    "name": "test vulnerability",
    "description": "This is a vulnerability",
    "scanner": {
      "id": "gitlab-manual-vulnerability-report",
      "name": "manually-created-vulnerability",
      "url": "https://gitlab.com",
      "version": "1.0",
      "vendor": {
        "name": "GitLab"
      }
    },
    "identifiers": []
  }
}

  4. Press the button

  5. Receive "Internal server error"

What is the current bug behavior?

Internal server error is received

What is the expected correct behavior?

Input should be handled gracefully and a validation error should be returned (identifiers must contain at least one item)

Relevant logs and/or screenshots

Message: undefined method 'fingerprint' for nil:NilClass

Backtrace:

ee/app/services/vulnerabilities/create_service_base.rb:107:in `initialize_finding'
ee/app/services/vulnerabilities/manually_create_service.rb:28:in `execute'
ee/app/graphql/mutations/vulnerabilities/create.rb:86:in `resolve'
lib/gitlab/graphql/present/field_extension.rb:18:in `resolve'
lib/gitlab/graphql/tracers/timer_tracer.rb:20:in `trace'
lib/gitlab/graphql/generic_tracing.rb:48:in `with_labkit_tracing'
lib/gitlab/graphql/generic_tracing.rb:38:in `platform_trace'
lib/gitlab/graphql/tracers/logger_tracer.rb:14:in `trace'
lib/gitlab/graphql/tracers/metrics_tracer.rb:13:in `trace'
lib/gitlab/graphql/tracers/application_context_tracer.rb:23:in `trace'
lib/gitlab/graphql/tracers/timer_tracer.rb:20:in `trace'
lib/gitlab/graphql/generic_tracing.rb:48:in `with_labkit_tracing'
lib/gitlab/graphql/generic_tracing.rb:38:in `platform_trace'
lib/gitlab/graphql/tracers/logger_tracer.rb:14:in `trace'
lib/gitlab/graphql/tracers/metrics_tracer.rb:13:in `trace'
lib/gitlab/graphql/tracers/application_context_tracer.rb:20:in `block in trace'
lib/gitlab/application_context.rb:110:in `block in use'
lib/gitlab/application_context.rb:110:in `use'
lib/gitlab/application_context.rb:52:in `with_context'
lib/gitlab/graphql/tracers/application_context_tracer.rb:19:in `trace'
lib/gitlab/graphql/tracers/timer_tracer.rb:20:in `trace'
lib/gitlab/graphql/generic_tracing.rb:48:in `with_labkit_tracing'
lib/gitlab/graphql/generic_tracing.rb:38:in `platform_trace'
lib/gitlab/graphql/tracers/logger_tracer.rb:14:in `trace'
lib/gitlab/graphql/tracers/metrics_tracer.rb:13:in `trace'
lib/gitlab/graphql/tracers/application_context_tracer.rb:23:in `trace'
app/graphql/gitlab_schema.rb:51:in `multiplex'
app/controllers/graphql_controller.rb:167:in `execute_query'
app/controllers/graphql_controller.rb:57:in `execute'
ee/lib/gitlab/ip_address_state.rb:10:in `with'
ee/app/controllers/ee/application_controller.rb:45:in `set_current_ip_address'
app/controllers/application_controller.rb:531:in `set_current_admin'
lib/gitlab/session.rb:11:in `with_session'
app/controllers/application_controller.rb:522:in `set_session_storage'
lib/gitlab/i18n.rb:107:in `with_locale'
lib/gitlab/i18n.rb:113:in `with_user_locale'
app/controllers/application_controller.rb:516:in `set_locale'
app/controllers/application_controller.rb:510:in `set_current_context'
ee/lib/omni_auth/strategies/group_saml.rb:41:in `other_phase'
lib/gitlab/metrics/elasticsearch_rack_middleware.rb:16:in `call'
lib/gitlab/middleware/memory_report.rb:13:in `call'
lib/gitlab/middleware/speedscope.rb:13:in `call'
lib/gitlab/database/load_balancing/rack_middleware.rb:23:in `call'
lib/gitlab/middleware/rails_queue_duration.rb:33:in `call'
lib/gitlab/metrics/rack_middleware.rb:16:in `block in call'
lib/gitlab/metrics/web_transaction.rb:46:in `run'
lib/gitlab/metrics/rack_middleware.rb:16:in `call'
lib/gitlab/jira/middleware.rb:19:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:21:in `call'
lib/gitlab/middleware/query_analyzer.rb:11:in `block in call'
lib/gitlab/database/query_analyzer.rb:37:in `within'
lib/gitlab/middleware/query_analyzer.rb:11:in `call'
lib/gitlab/middleware/multipart.rb:173:in `call'
lib/gitlab/middleware/read_only/controller.rb:50:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/same_site_cookies.rb:27:in `call'
lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'
lib/gitlab/middleware/request_context.rb:21:in `call'
lib/gitlab/middleware/webhook_recursion_detection.rb:15:in `call'
config/initializers/fix_local_cache_middleware.rb:11:in `call'
lib/gitlab/middleware/compressed_json.rb:26:in `call'
lib/gitlab/middleware/rack_multipart_tempfile_factory.rb:19:in `call'
lib/gitlab/middleware/sidekiq_web_static.rb:20:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:77:in `call'
lib/gitlab/middleware/release_env.rb:13:in `call'

Possible fixes

Validate that identifiers have at least one item before calling ManualVulnerabilityCreateService.

Edited by Brian Williams