String "NaN" is coerced to float value when saving data objects (which breaks retrieving the objects)

[samv-yazzoom]

First Check

• I added a very descriptive title to this issue.
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

from typing import List

from fastapi import FastAPI
from pydantic import BaseModel

app = FastAPI()


class DataModel(BaseModel):
    a_string_value: str
    a_float_value: float


stored_objects: List[DataModel] = []


@app.get("/", response_model=List[DataModel])
async def get_objects():
    return stored_objects


@app.post("/")
async def save_object(to_save: DataModel):
    return stored_objects.append(to_save)

Description

I have an application where one of the models contains a field that is a float value.
My database to back this is a mongodb instance.
In the example this is mocked by a simple list; make sure to use a single worker thread when trying to test this locally (uvicorn main:app --workers 1).

A user once tried to send a "NaN" float value and my application accepted it and stored it in mongodb.
What I think is happening is that the string value that is posted is being coerced into a float and float("NaN") gives this annoying value.
This stored value of NaN cannot be returned by subsequent get calls.

Example calls to show the problematic behavior when NaN values are accepted:
curl localhost:8000
[]
curl localhost:8000 -H 'Content-Type: application/json' -d '{"a_string_value": "object 1", "a_float_value": 0.5}'
curl localhost:8000
[{"a_string_value":"object 1","a_float_value":0.5}]
curl localhost:8000 -H 'Content-Type: application/json' -d '{"a_string_value": "object 1", "a_float_value": "NaN"}'
curl localhost:8000
Internal Server Error

ValueError: Out of range float values are not JSON compliant

I could add a validation on each of my models that use a float value or create an extension of a float that I then use in my models but this still feels like a risky way of fixing the issue.
If I forget checking for NaN value coercion on any of my models, a user could break the get behaviour by posting a "NaN" value.

This was cleared by @tiangolo for security issues.

Operating System

Linux

Operating System Details

Ubuntu 20

FastAPI Version

0.73.0

Python Version

3.9.10

Additional Context

This issue was first reported as a security issue but was cleared.

[samv-yazzoom]

My goal is not to accept NaN values but to block the user from sending these to make sure the get api would always work.

[samv-yazzoom]

Still occurs in fastapi 0.74.0

[samv-yazzoom]

import math
from typing import List

import uvicorn
from fastapi import FastAPI
from pydantic import BaseModel

app = FastAPI()


class RegularFloat(float):
    @classmethod
    def __get_validators__(cls):
        yield cls.validate

    @classmethod
    def validate(cls, v):
        if not math.isfinite(float(v)):
            raise ValueError("Invalid float.")
        return cls(v)


class DataModel(BaseModel):
    a_string_value: str
    a_float_value: RegularFloat


stored_objects: List[DataModel] = []


@app.get("/", response_model=List[DataModel])
async def get_objects():
    return stored_objects


@app.post("/")
async def save_object(to_save: DataModel):
    return stored_objects.append(to_save)


if __name__ == '__main__':
    uvicorn.run(
        "main:app",
        workers=1
    )

Example code used to fix my application.

[samv-yazzoom]

Note that math.isfinite was used to also catch "Inf", "-Inf" and similar values.

[yinziyan1206]

So how about using Decimal instead of float

[samv-yazzoom]

Decimal and StrictFloat are indeed also working.
ConstrainedFloat does not block the special values.

I will change all floats on all my models to Decimal to assure that the objects can be returned.

Thank you for the help.

[tiangolo]

Thanks for the report @samv-yazzoom! And thanks for the help @yinziyan1206.

I see how this behavior feels unexpected, it does to me. I made a PR to Pydantic adding support for more restrictive floats that don't accept "NaN" and "inf" here: pydantic/pydantic#3994

I would like for floats to be able to have that behavior by default, but as Pydantic is used in other cases outside of FastAPI I suppose some people could need to support nan and inf in models, not sure. Anyway, I added a lot more comments in that PR, considering the alternative in Starlette/FastAPI, but also how/why I don't like that alternative that much, etc.

Let's see what happens with that PR to Pydantic.

[JavierSanchezCastro]

Hi!

What about passing NaN as input body parameter (string)?

Opened discussion here: #10141

[SamVermeulen42]

Issue remains in latest fastapi version.

If a user follows the tutorial regarding request bodies and simply adds a storage for items, their application is in my opinion vulnerable.

from typing import Union, List

from fastapi import FastAPI
from pydantic import BaseModel

app = FastAPI()


class Item(BaseModel):
    name: str
    description: Union[str, None] = None
    price: float
    tax: Union[float, None] = None


stored_items: List[Item] = []


@app.get("/items")
async def get_items():
    return stored_items


@app.post("/items/")
async def create_item(item: Item):
    stored_items.append(item)
    return item

After any user posts "price": "NaN", the get api is broken.

Documentation could also be adjusted to hint the user to allow_inf_nan, which does resolve the issue if added by the developer.

class Item(BaseModel):
    name: str
    description: Union[str, None] = None
    price: float = Field(allow_inf_nan=False)
    tax: Union[float, None] = None

[YuriiMotov]

So, the solution is to use allow_inf_nan=False in ether Field (also Query, Form, ...)

class DataModel(BaseModel):
    a_string_value: str
    a_float_value: float = Field(allow_inf_nan=False)

or in model_config:

class DataModel(BaseModel):
    model_config = ConfigDict(allow_inf_nan=False)
    a_string_value: str
    a_float_value: float

Agree that it would be nice to add a Note in docs about this

[SamVermeulen42]

using FiniteFloat is also an option
Putting it in the model_config of the BaseModel instance that is used thoughout an application is indeed the easiest solution