[26.0] Harden API parameter validation#22351
Merged
mvdbeek merged 11 commits intogalaxyproject:release_26.0from Apr 3, 2026
Merged
[26.0] Harden API parameter validation#22351mvdbeek merged 11 commits intogalaxyproject:release_26.0from
mvdbeek merged 11 commits intogalaxyproject:release_26.0from
Conversation
Two issues caused flaky failures in test_tool_discovery_landing: 1. fetchHelpForId used a Set to guard against duplicate fetches. The watchEffect in ToolsListTable called fetchHelpForId fire-and-forget, adding tool IDs to the Set immediately. When loadTools subsequently called fetchHelpForId for the same IDs, the guard returned a resolved Promise before data was actually cached, so await Promise.all() resolved prematurely and help toggle links never appeared. Fix: change fetchedHelpIds from Set to Map<string, Promise<void>> so concurrent callers share the same in-flight Promise. 2. After a search, ScrollList kept stale items in localItems and considered allLoaded=true (old item count >= new total), so loadTools was never re-invoked for the filtered results. Help data was never awaited for the search results. Fix: replace the fire-and-forget watchEffect with a computed key on ScrollList that forces a remount when props.tools changes, ensuring loadTools runs again and awaits help data for new results.
When a client passes a nonexistent genome build ID (e.g. "1"), return a 400 RequestParameterInvalidException instead of a 500 ReferenceDataError. The latter is reserved for genuine server-side reference data issues. Fixes galaxyproject#22349
Return 400 instead of 500 TypeError when POST /api/tools is called without a request body. Fixes galaxyproject#22348
Anonymous requests crash with AttributeError when accessing trans.user.id. Return 401 instead. Fixes galaxyproject#22347
Reject badly formed UUID strings with a 400 instead of letting them propagate as a StatementError (500) from SQLAlchemy. Fixes galaxyproject#22346
mvdbeek
force-pushed
the
harden_api_parameter_validation
branch
from
98b4022 to
90c0680
Compare
- Fix score_url_match to use prefix matching (startswith) instead of substring matching (in), preventing malicious URIs like gxfiles://stock_httphttp://evil.com from matching legitimate sources. - Reject URIs containing embedded :// schemes in the remote files manager. - Add unit test for the prefix matching behavior. Fixes galaxyproject#22345
Return 400 when payload is not a dict (e.g. a raw string) instead of crashing with AttributeError. Fixes galaxyproject#22344
The POST /api/metrics endpoint was a never-completed Fluentd bridge stub
with no frontend callers. With fluent_log=false (default), it only called
log.debug() and returned {}. No feature development in 3+ years.
Fixes galaxyproject#22343
When cookie bytes contain invalid UTF-8 (e.g. from tampered requests or mangling proxies), catch UnicodeDecodeError and treat as no cookies present. Galaxy already handles missing cookies by creating a new anonymous session. Fixes galaxyproject#22342
- Add regex pattern constraint on ConcreteObjectStoreIdPathParam to only accept word characters and hyphens, blocking path traversal attempts. - Fix DistributedObjectStore.get_concrete_store_by_object_store_id to return None instead of raising KeyError, matching the base class contract so _model_for returns 404. Fixes galaxyproject#22341
mvdbeek
force-pushed
the
harden_api_parameter_validation
branch
from
90c0680 to
646ce87
Compare
Member
Author
|
Test errors unrelated |
martenson
approved these changes
Apr 2, 2026
github-project-automation
Bot
moved this from Needs Review
to Done
in Galaxy Dev - weeklies
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Systematic hardening of API input validation so malformed/malicious requests are rejected at the API frontier with 4xx responses instead of crashing deep in application code as 500s logged to Sentry.
Full diagnosis plan: https://gist.github.com/mvdbeek/9fcae5ac8e5a4e77abef119c01dcbb08
Commits
sinceparameter before parsing as ISO dateToolsController.create()list_runsendpointgxfiles://URI validation against embedded schemes_kwd_or_payloadUnicodeDecodeErrorin cookie parsing gracefullyHow to test the changes?
(Select all options that apply)
License