From 887ea2a2af18de8e4faa75f37efb59b43a86fd6c Mon Sep 17 00:00:00 2001 From: Matt Miller Date: Tue, 19 May 2026 19:48:33 -0700 Subject: [PATCH] =?UTF-8?q?fix(assets):=20tighten=20job=5Fids=20=E2=80=94?= =?UTF-8?q?=20array=20schema,=20max=5Flength,=20narrow=20except?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From cursor-reviews on the parent commit: - OpenAPI: declare job_ids as `type: array, items: string format: uuid` with `style: form, explode: true` so it matches the documented contract (and matches sibling include_tags/exclude_tags shape). Description now states both accepted shapes explicitly. - Schema: cap `job_ids` at 500 entries (max_length on the Pydantic field) so a client can't splice an unbounded list into the IN clauses. - Schema: drop `AttributeError` from the except — `raw` only contains `str` items by construction, so `uuid.UUID()` raises `ValueError` exclusively; the second clause was dead code. --- app/assets/api/schemas_in.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/assets/api/schemas_in.py b/app/assets/api/schemas_in.py index 2f5b49174..eed4d484d 100644 --- a/app/assets/api/schemas_in.py +++ b/app/assets/api/schemas_in.py @@ -54,7 +54,7 @@ class ListAssetsQuery(BaseModel): include_tags: list[str] = Field(default_factory=list) exclude_tags: list[str] = Field(default_factory=list) name_contains: str | None = None - job_ids: list[str] = Field(default_factory=list) + job_ids: list[str] = Field(default_factory=list, max_length=500) # Accept either a JSON string (query param) or a dict metadata_filter: dict[str, Any] | None = None @@ -110,7 +110,7 @@ class ListAssetsQuery(BaseModel): for s in raw: try: canonical = str(uuid.UUID(s)) - except (ValueError, AttributeError) as e: + except ValueError as e: raise ValueError(f"job_ids must be UUIDs: {s!r}") from e if canonical not in seen: seen.add(canonical)