API endpoint dcim/cables fails to validate termination type against target specified by id

[ajknv]

Environment

• Python version: 3.6.8
• NetBox version: 2.5.13

Steps to Reproduce

1. Send an API request to create a cable where one of the termination types (accidentally) doesn't match the type of the actual object referenced by the corresponding termination id, e.g.:
   POST dcim/cables '{"termination_a_id": "<POWEROUTLET_ID>", "termination_a_type": "<POWERPORT_TYPE_ID>", "termination_b_id": "<POWEROUTLET_ID>", "termination_b_type": "<POWEROUTLET_TYPE_ID>"}'

Expected Behavior

Netbox will validate that an object of "termination_<X>_type" with the specified "termination_<X>_id" actually exists and reject the request with an error if not.

Observed Behavior

Netbox apparently writes the requested data to the dcim_cables table blindly, creating a broken foreign key reference. It does provoke an error, but not a well-formed rejection request, and the cable object gets created anyway:
Server Error
There was a problem with your request. Please contact an administrator. The complete exception is provided below:
<class 'AttributeError'> 'NoneType' object has no attribute 'cable'

The resulting cable object is also "broken" in that it cannot be deleted via the UI or API, as attempts to do so raise an error:
There was a problem with your request. Please contact an administrator. The complete exception is provided below:
<class 'AttributeError'> 'NoneType' object has no attribute 'trace'
Recovery requires deleting the cable directly from the database with a SQL statement.

[mshems]

The endpoint additionally does not check that termination_a_id is not the same as termination_b_id. The resulting cable is also broken and cannot be deleted via UI or API, giving the following error:

<class 'AttributeError'>

'NoneType' object has no attribute 'trace'

[jeremystretch]

Python version: 2.7.5
NetBox version: 2.5.13

NetBox v2.5 requires Python 3.5 or higher. Please verify your installation environment.

[ajknv]

My mistake, pulled the python version from the host environment rather than the container it was running in. Updated bug synopsis to reflect correct version of python running the Netbox workers (3.6.8).

[jeremystretch]

I'm not able to reproduce this on v2.5.13 or v2.6.0. NetBox validates the connection types as expected and returns an error:

curl -X POST \
-H "Authorization: Token <token>" \
-H "Content-Type: application/json" \
-H "Accept: application/json; indent=4" \
http://localhost:8000/api/dcim/cables/ \
--data '{"termination_a_id": "35281", "termination_a_type": "dcim.poweroutlet", "termination_b_id": "35257", "termination_b_type": "dcim.poweroutlet"}'

{
    "non_field_errors": [
        "Incompatible termination types: power outlet and power outlet"
    ]
}

Please post the full exact API request you're making to trigger the exception.

[ajknv]

You don't appear to have specified different termination types in your repro attempt.
curl -X POST -H "Authorization: Token <TOKEN>" -H "Content-Type: application/json" -H "Accept: application/json; indent=4" https://localhost:443/api/dcim/cables/ --data '{"termination_a_id": "992", "termination_a_type": "dcim.poweroutlet", "termination_b_id": "993", "termination_b_type": "dcim.powerport"}'

---

<title>Server Error</title>

<body>
<div class="container-fluid">
<div class="row">
<div class="col-md-6 col-md-offset-3">
<div class="panel panel-danger" style="margin-top: 200px">
<div class="panel-heading">
<strong>
<i class="fa fa-warning"></i>
Server Error
</strong>
</div>
<div>
<p>
There was a problem with your request. Please contact an administrator.
</p>
<hr />
<p>
The complete exception is provided below:
</p>
<strong><class 'AttributeError'></strong><br />
'NoneType' object has no attribute 'cable'</pre>
<p>
If further assistance is required, please post to the <a href="https://groups.google.com/forum/#!forum/netbox-discuss">NetBox mailing list</a>.
</p>
<div class="text-right">
<a href="/" class="btn btn-primary">Home Page</a>
</div>
</div>
</div>
</div>
</div>
</div>
</body>

[jeremystretch]

Oh, I see, you're referencing an object that doesn't exist. I would have thought that Django would handle that validation natively but apparently it does not.