asf-tooling opened a new issue, #1000:
URL: https://github.com/apache/tooling-trusted-releases/issues/1000
**ASVS Level(s):** [L1]
**Description:**
### Summary
The typed route system skips validation for optional safe-type parameters.
When a parameter is typed as `Optional[SafeType]`, the code adds it to
`optional_params` and continues without adding it to `validated_params`,
causing `validate_params()` to never call the safe type's validation logic.
Handlers receive raw strings instead of validated SafeType instances.
### Details
Affected location: `atr/blueprints/common.py` lines 145-152
When a route parameter is typed as `Optional[SafeType]`, the
`build_api_path()` function:
1. Detects it as optional
2. Adds to `optional_params` list
3. Skips adding to `validated_params`
4. Never validates the value if present
This means optional safe-type parameters receive no validation, defeating
the purpose of safe types.
### Recommended Remediation
Modify `build_api_path()` to still add optional SafeType parameters to
`validated_params`, and update `validate_params()` to skip None values while
still validating present optional parameters:
```python
# In build_api_path():
if is_optional:
optional_params.append(param_name)
# Still add to validated_params if it's a SafeType
if is_safe_type:
validated_params[param_name] = safe_type_class
# In validate_params():
for param_name, safe_type_class in validated_params.items():
value = params.get(param_name)
if value is None and param_name in optional_params:
continue # Skip validation for None optional params
# Validate present values
params[param_name] = safe_type_class(value)
```
### Acceptance Criteria
- [ ] Optional SafeType parameters are validated when present
- [ ] None values for optional parameters skip validation
- [ ] Handlers receive validated SafeType instances
- [ ] Test cases verify optional parameter validation
- [ ] Unit test verifying the fix
### References
- Source reports: L1:2.2.1.md
- Related findings: None
- ASVS sections: 2.2.1
### Priority
Medium
---
---
**Triage notes:** confirm, maybe add an inline comment
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
