Skip to content

Asset ID decoding: missing KeyError handling causes 500 on malformed assetIds query parameter #502

Open
Open
Asset ID decoding: missing KeyError handling causes 500 on malformed assetIds query parameter#502
Labels
bugSomething isn't workingserverSomething to do with the `server` package
@zrgt

Description

@zrgt
zrgt
opened on May 5, 2026

Summary

Severity: Medium
File: server/app/interfaces/repository.py:260-261

Description

Client-supplied assetIds query parameters are base64url-decoded and JSON-parsed. If the JSON object is missing "name" or "value" keys, dict.__getitem__ raises KeyError, which propagates as a 500 Internal Server Error.

name = asset_dict["name"]    # KeyError if key missing
value = asset_dict["value"]  # KeyError if key missing

Client input validation failures must return 4xx, not 5xx.

Fix

try:
    name = asset_dict["name"]
    value = asset_dict["value"]
except KeyError as e:
    raise BadRequest(f"Invalid assetId format: missing field {e}") from e

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingserverSomething to do with the `server` package

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions