Summary
Severity: High
File: server/app/interfaces/repository.py:271-276
Description
When a client sends 2 or more assetIds query parameters with globalAssetId type, the filter lambda evaluates False for every shell and returns an empty HTTP 200 response with no error.
aas = filter(lambda shell: (
(not specific_asset_ids or all(...)) and
(len(global_asset_ids) <= 1 and # <-- guard condition
(not global_asset_ids or shell.asset_information.global_asset_id in global_asset_ids))
), aas)When len(global_asset_ids) > 1, the entire inner expression is False. The filter lambda returns False for every shell, yielding an empty response — silently, with HTTP 200. No error is raised. The condition was likely meant to validate the input and reject it with 400, not silently discard all results.
Fix
Replace the len(...) <= 1 guard with a proper input validation that raises BadRequest if multiple global asset IDs are provided (if the AAS spec prohibits it), or remove the guard entirely and use in global_asset_ids for OR-matching.
Summary
Severity: High
File:
server/app/interfaces/repository.py:271-276Description
When a client sends 2 or more
assetIdsquery parameters withglobalAssetIdtype, the filter lambda evaluatesFalsefor every shell and returns an empty HTTP 200 response with no error.When
len(global_asset_ids) > 1, the entire inner expression isFalse. Thefilterlambda returnsFalsefor every shell, yielding an empty response — silently, with HTTP 200. No error is raised. The condition was likely meant to validate the input and reject it with 400, not silently discard all results.Fix
Replace the
len(...) <= 1guard with a proper input validation that raisesBadRequestif multiple global asset IDs are provided (if the AAS spec prohibits it), or remove the guard entirely and usein global_asset_idsfor OR-matching.