-
Notifications
You must be signed in to change notification settings - Fork 223
[BUG] Type-Unsafe Request Payloads (Missing Pydantic Models) #1489
Copy link
Copy link
Open
Labels
area:backendBackend API, database, or service workBackend API, database, or service worklevel:advanced55 pts difficulty label for advanced contributor PRs55 pts difficulty label for advanced contributor PRspriority:mediumImportant issue with normal urgencyImportant issue with normal urgencytype:bugBug fix work category bonus labelBug fix work category bonus labeltype:refactorRefactor work category bonus labelRefactor work category bonus label
Description
Metadata
Metadata
Assignees
Labels
area:backendBackend API, database, or service workBackend API, database, or service worklevel:advanced55 pts difficulty label for advanced contributor PRs55 pts difficulty label for advanced contributor PRspriority:mediumImportant issue with normal urgencyImportant issue with normal urgencytype:bugBug fix work category bonus labelBug fix work category bonus labeltype:refactorRefactor work category bonus labelRefactor work category bonus label
Type-Unsafe Request Payloads (Missing Pydantic Models)
Description:
Many POST and PATCH endpoints in
backend/secuscan/routes.pyuse genericDict[str, Any]for incoming request payloads rather than strictly typed Pydantic models. This circumvents FastAPI's automatic request validation and type coercion.Affected Code/Endpoints:
/target-policies:async def create_target_policy(payload: Dict[str, Any], ...)/credential-profiles:async def create_credential_profile(payload: Dict[str, Any], ...)/session-profiles:async def create_session_profile(payload: Dict[str, Any], ...)/workflows:async def create_workflow(payload: Dict[str, Any], ...)Recommendation:
Define proper Pydantic models (e.g.,
TargetPolicyCreate,CredentialProfileCreate) inmodels.pyand replaceDict[str, Any]with these models to ensure robust type checking and automatic 422 HTTP responses on invalid input.