Skip to content

fix: enable positive_data_acceptance fuzz checks via spec tightening and test hooks #1720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
lugi0 wants to merge 2 commits into from
Closed

fix: enable positive_data_acceptance fuzz checks via spec tightening and test hooks #1720

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8b86de6
fix: tighten OpenAPI spec and fuzz test hooks to pass positive_data_a…
lugi0 Apr 24, 2026
bf0e61c
fix: harden fuzz test hooks for stateful testing and artifact type co…
lugi0 Apr 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 43 additions & 11 deletions api/openapi/catalog.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -736,10 +736,12 @@ components:
it must be unique among all the artifacts of the same artifact type within
a database instance and cannot be changed once set.
type: string
minLength: 1
id:
format: int64
description: The unique server generated id of the resource.
type: string
readOnly: true
- $ref: "#/components/schemas/BaseResourceDates"
BaseResourceDates:
description: Common timestamp fields for resources
Expand Down Expand Up @@ -1711,6 +1713,7 @@ components:
MetadataBoolValue:
description: A bool property value.
type: object
additionalProperties: false
required:
- metadataType
- bool_value
Expand All @@ -1719,11 +1722,13 @@ components:
type: boolean
metadataType:
type: string
example: MetadataBoolValue
enum:
- MetadataBoolValue
default: MetadataBoolValue
MetadataDoubleValue:
description: A double property value.
type: object
additionalProperties: false
required:
- metadataType
- double_value
Expand All @@ -1733,25 +1738,30 @@ components:
type: number
metadataType:
type: string
example: MetadataDoubleValue
enum:
- MetadataDoubleValue
default: MetadataDoubleValue
MetadataIntValue:
description: An integer (int64) property value.
description: An integer (int32) property value.
type: object
additionalProperties: false
required:
- metadataType
- int_value
properties:
int_value:
format: int64
format: int32
type: string
pattern: "^-?[0-9]{1,9}$"
Comment on lines 1752 to +1755

@coderabbitai coderabbitai Bot Apr 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

int32 constraint rejects valid int32 values.

^-?[0-9]{1,9}$ caps int_value at 9 digits, so values like 1000000000 and -2147483648 become schema-invalid even though this field is documented as int32. Either widen the constraint to the full signed int32 domain or stop advertising int32 here.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@api/openapi/catalog.yaml` around lines 1752 - 1755, The schema for int_value
currently advertises int32 but uses a restrictive pattern ("^-?[0-9]{1,9}$")
that rejects valid int32 numbers; update the schema for int_value to either
remove the string pattern and use a numeric representation (type: integer,
format: int32) or, if you must keep it as string, replace the pattern with one
that matches the full signed 32-bit range (e.g., a pattern that allows
-2147483648 through 2147483647) so values like 1000000000 and -2147483648
validate correctly; locate the int_value entry and change the type/format or
widen the pattern accordingly.

metadataType:
type: string
example: MetadataIntValue
enum:
- MetadataIntValue
default: MetadataIntValue
MetadataProtoValue:
description: A proto property value.
type: object
additionalProperties: false
required:
- metadataType
- type
Expand All @@ -1763,13 +1773,16 @@ components:
proto_value:
description: Base64 encoded bytes for proto value
type: string
format: byte
metadataType:
type: string
example: MetadataProtoValue
enum:
- MetadataProtoValue
default: MetadataProtoValue
MetadataStringValue:
description: A string property value.
type: object
additionalProperties: false
required:
- metadataType
- string_value
Expand All @@ -1778,21 +1791,25 @@ components:
type: string
metadataType:
type: string
example: MetadataStringValue
enum:
- MetadataStringValue
default: MetadataStringValue
MetadataStructValue:
description: A struct property value.
type: object
additionalProperties: false
required:
- metadataType
- struct_value
properties:
struct_value:
description: Base64 encoded bytes for struct value
type: string
format: byte
metadataType:
type: string
example: MetadataStructValue
enum:
- MetadataStructValue
default: MetadataStructValue
MetadataValue:
oneOf:
Expand Down Expand Up @@ -2081,6 +2098,7 @@ components:
- `(license = "Apache 2.0" OR license = "MIT") AND verifiedSource = true`
schema:
type: string
pattern: "^[\\x20-\\x7E]*$"
in: query
required: false
mcpToolFilterQuery:
Expand All @@ -2105,6 +2123,7 @@ components:
- `(accessType = "read_only" OR accessType = "execute") AND name LIKE "%model%"`
schema:
type: string
pattern: "^[\\x20-\\x7E]*$"
in: query
required: false
filterQuery:
Expand Down Expand Up @@ -2142,6 +2161,7 @@ components:
- Escaped property: `` `mlflow.source.type` = "notebook" ``
schema:
type: string
pattern: "^[\\x20-\\x7E]*$"
in: query
required: false
artifactFilterQuery:
Expand Down Expand Up @@ -2179,6 +2199,7 @@ components:
- Escaped property: `` `custom-key` = "value" ``
schema:
type: string
pattern: "^[\\x20-\\x7E]*$"
in: query
required: false
orderBy:
Expand Down Expand Up @@ -2337,6 +2358,8 @@ components:
description: The ID of resource.
schema:
type: string
format: int64
pattern: "^[1-9][0-9]{0,8}$"
Comment on lines 2360 to +2362

@coderabbitai coderabbitai Bot Apr 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

ID regex narrows advertised int64 IDs to 9 digits.

Both parameters are marked format: int64, but the new regex only permits 1..999999999. Once IDs cross 9 digits, valid routes and parent filters will fail schema validation while BaseResource.id still advertises int64 strings. Align the regex with the real ID width everywhere, or downgrade the format consistently.

Also applies to: 2394-2396

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@api/openapi/catalog.yaml` around lines 2360 - 2362, The OpenAPI parameter
currently declares type: string and format: int64 but uses pattern:
"^[1-9][0-9]{0,8}$", which incorrectly limits IDs to 9 digits; update the
pattern to match 64-bit signed integer widths (for example use
"^[1-9][0-9]{0,18}$") or remove the pattern entirely so it aligns with
BaseResource.id's int64 representation, and make the same change for the other
occurrences noted (the pattern at the other block around lines 2394-2396).

in: path
required: true
name:
Expand All @@ -2347,6 +2370,7 @@ components:
description: Name of entity to search.
schema:
type: string
pattern: "^[\\x20-\\x7E]+$"
in: query
required: false
externalId:
Expand All @@ -2357,6 +2381,7 @@ components:
description: External ID of entity to search.
schema:
type: string
pattern: "^[\\x20-\\x7E]+$"
in: query
required: false
parentResourceId:
Expand All @@ -2367,21 +2392,27 @@ components:
description: ID of the parent resource to use for search.
schema:
type: string
format: int64
pattern: "^[1-9][0-9]{0,8}$"
in: query
required: false
pageSize:
examples:
pageSize:
value: "100"
value: 100
name: pageSize
description: Number of entities in each page.
schema:
type: string
type: integer
format: int32
minimum: 1
maximum: 2147483647
Comment on lines 2405 to +2409

@coderabbitai coderabbitai Bot Apr 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Major: pageSize is effectively unbounded (CWE-770).

Exploit scenario: a caller can send pageSize=2147483647; if validation middleware accepts it, downstream list handlers must clamp it themselves or absorb the query/load. Set this to the server’s real hard cap so the contract blocks abusive values at the edge.

🔧 Remediation 
       schema:
         type: integer
         format: int32
         minimum: 1
-        maximum: 2147483647
+        maximum: 1000 # replace with the handler's actual enforced cap

As per coding guidelines, REVIEW PRIORITIES: 1. Security vulnerabilities (provide severity, exploit scenario, and remediation code).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
schema:
type: string
type: integer
format: int32
minimum: 1
maximum: 2147483647
schema:
type: integer
format: int32
minimum: 1
maximum: 1000 # replace with the handler's actual enforced cap
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@api/openapi/catalog.yaml` around lines 2405 - 2409, The OpenAPI schema for
parameter "pageSize" currently allows up to 2147483647 which effectively permits
abusive large requests; change the "maximum" value for the pageSize schema to
the server's actual hard cap (the real maximum entries your list handlers will
accept) so the API contract rejects oversized values at the edge, and update the
schema description for pageSize to document the enforced server maximum and any
clamping behavior; make these edits where "pageSize" is defined in
api/openapi/catalog.yaml (schema type integer/format int32).

in: query
required: false
nextPageToken:
name: nextPageToken
description: Token to use to retrieve next page of results.
description: >-
Opaque pagination token returned by a previous list call. Do not construct manually; use the value from a prior response's nextPageToken field.
schema:
type: string
in: query
Expand All @@ -2408,6 +2439,7 @@ components:
description: "Comma-separated list of step IDs to filter metrics by."
schema:
type: string
pattern: "^[0-9]{1,9}(,[0-9]{1,9})*$"
in: query
required: false
securitySchemes:
Expand Down
Loading
Loading