Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1752
Views
15
Helpful
1
Replies

ISE ERS search filter problem with blacklisted strings?

Go to solution
Andreas Falk
Level 1
Level 1

‎05-22-2021 12:58 PM

Hi,
When doing some unittesting on a PR in a python library I got a strange error.
As soon as I searched a networkdevice with a filter that contained "update" I got 500 from ISE.

After some troubleshooting (off-course in my code for a long time) I saw that there was an exception on "insecure filter data".

Do anyone know if this is by design, or if it is a bug?

{
    "ERSResponse": {
        "operation": "GET-getAll-networkdevice",
        "messages": [
            {
                "title": "Operation search NETWORK_DEVICE failed. Look at the debug logs for more information",
                "type": "ERROR",
                "code": "CRUD operation exception"
            }
        ],
        "link": {
            "rel": "related",
            "href": "https://192.168.1.27:9060/ers/config/networkdevice?filter=name.EQ.whateverupdatewhatever",
            "type": "application/xml"
        }
    }
}
2021-05-22 21:19:52,394 ERROR  [ers-http-pool1][] ers.app.impl.handlers.NetworkDeviceCRUDHandler -::::- Error while listing NetworkDevices - 
com.cisco.cpm.ers.api.exception.ERSValidationException: Insecure filter data:whateverupdatewhatever,

--
Regards Falk

1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎05-24-2021 03:29 PM

I was able to successfully POST a network device named 'update' and do a GET by id and name for it

GET https://ise.securitydemo.net:9060/ers/config/networkdevice/name/update
{
    "NetworkDevice": {
        "id": "98eaec70-bcd9-11eb-85b5-c680612b853f",
        "name": "update",
        "description": "use the word update for Andreas Falk",
        "authenticationSettings": {
            "networkProtocol": "RADIUS",
            "radiusSharedSecret": "C1sco12345",
            "enableKeyWrap": false,
            "dtlsRequired": false,
            "keyInputFormat": "ASCII",
            "enableMultiSecret": "false"
        },
        "tacacsSettings": {
            "sharedSecret": "C1sco12345",
            "connectModeOptions": "OFF"
        },
        "profileName": "Cisco",
        "coaPort": 0,
        "NetworkDeviceIPList": [
            {
                "ipaddress": "1.2.3.4",
                "mask": 32
            }
        ],
        "NetworkDeviceGroupList": [
            "Location#All Locations",
            "IPSEC#Is IPSEC Device#No",
            "Device Type#All Device Types",
            "Department#Department",
            "Regions#Regions",
            "Operation#Operation"
        ]
    }
}

 

However when I tried to search with the substring "update" it failed like you said!  8-(

GET https://ise.securitydemo.net:9060/ers/config/networkdevice?filter=name.CONTAINS.update
{
    "ERSResponse": {
        "operation": "GET-getAll-networkdevice",
        "messages": [
            {
                "title": "Operation search NETWORK_DEVICE failed. Look at the debug logs for more information",
                "type": "ERROR",
                "code": "CRUD operation exception"
            }
        ],
        "link": {
            "rel": "related",
            "href": "https://ise.securitydemo.net:9060/ers/config/networkdevice?filter=name.CONTAINS.update",
            "type": "application/xml"
        }
    }
}

 

If I use a shorter substring ('updat') it works fine so this sounds like a bug to me!

GET https://ise.securitydemo.net:9060/ers/config/networkdevice?filter=name.CONTAINS.updat
HTTP/1.1 200 OK
{
    "SearchResult": {
        "total": 1,
        "resources": [
            {
                "id": "98eaec70-bcd9-11eb-85b5-c680612b853f",
                "name": "update",
                "description": "use the word update for Andreas Falk",
                "link": {
                    "rel": "self",
                    "href": "https://ise.securitydemo.net:9060/ers/config/networkdevice/98eaec70-bcd9-11eb-85b5-c680612b853f",
                    "type": "application/json"
                }
            }
        ]
    }
}

 

 

 

View solution in original post

1 Reply 1

Go to solution
thomas
Cisco Employee
Cisco Employee

‎05-24-2021 03:29 PM

I was able to successfully POST a network device named 'update' and do a GET by id and name for it

GET https://ise.securitydemo.net:9060/ers/config/networkdevice/name/update
{
    "NetworkDevice": {
        "id": "98eaec70-bcd9-11eb-85b5-c680612b853f",
        "name": "update",
        "description": "use the word update for Andreas Falk",
        "authenticationSettings": {
            "networkProtocol": "RADIUS",
            "radiusSharedSecret": "C1sco12345",
            "enableKeyWrap": false,
            "dtlsRequired": false,
            "keyInputFormat": "ASCII",
            "enableMultiSecret": "false"
        },
        "tacacsSettings": {
            "sharedSecret": "C1sco12345",
            "connectModeOptions": "OFF"
        },
        "profileName": "Cisco",
        "coaPort": 0,
        "NetworkDeviceIPList": [
            {
                "ipaddress": "1.2.3.4",
                "mask": 32
            }
        ],
        "NetworkDeviceGroupList": [
            "Location#All Locations",
            "IPSEC#Is IPSEC Device#No",
            "Device Type#All Device Types",
            "Department#Department",
            "Regions#Regions",
            "Operation#Operation"
        ]
    }
}

 

However when I tried to search with the substring "update" it failed like you said!  8-(

GET https://ise.securitydemo.net:9060/ers/config/networkdevice?filter=name.CONTAINS.update
{
    "ERSResponse": {
        "operation": "GET-getAll-networkdevice",
        "messages": [
            {
                "title": "Operation search NETWORK_DEVICE failed. Look at the debug logs for more information",
                "type": "ERROR",
                "code": "CRUD operation exception"
            }
        ],
        "link": {
            "rel": "related",
            "href": "https://ise.securitydemo.net:9060/ers/config/networkdevice?filter=name.CONTAINS.update",
            "type": "application/xml"
        }
    }
}

 

If I use a shorter substring ('updat') it works fine so this sounds like a bug to me!

GET https://ise.securitydemo.net:9060/ers/config/networkdevice?filter=name.CONTAINS.updat
HTTP/1.1 200 OK
{
    "SearchResult": {
        "total": 1,
        "resources": [
            {
                "id": "98eaec70-bcd9-11eb-85b5-c680612b853f",
                "name": "update",
                "description": "use the word update for Andreas Falk",
                "link": {
                    "rel": "self",
                    "href": "https://ise.securitydemo.net:9060/ers/config/networkdevice/98eaec70-bcd9-11eb-85b5-c680612b853f",
                    "type": "application/json"
                }
            }
        ]
    }
}

 

 

 

Customers Also Viewed These Support Documents