dohertj2/mxaccessgw
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(python): bound galaxy-browse --depth; assert no _text leak in JSON

Browse Source 
Guard _galaxy_browse against unbounded recursion by rejecting --depth
values outside [0, 50] with a descriptive BadParameter. Add test coverage
for --depth 99 and --depth -1 rejection, and assert _text is never
present in the JSON output from galaxy-browse.
This commit is contained in:
Joseph Doherty
2026-06-15 10:09:30 -04:00
parent d7e2a8b3cf
commit 7975b09325
2 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
clients/python/src/zb_mom_ww_mxgateway_cli/commands.py
+2 -2
View File
@@ -1086,8 +1086,8 @@ async def _galaxy_discover(**kwargs: Any) -> dict[str, Any]:
async def _galaxy_browse(**kwargs: Any) -> dict[str, Any]:
depth = int(kwargs["depth"])
if depth < 0:
raise click.BadParameter("must be non-negative", param_hint="--depth")
if depth < 0 or depth > 50:
raise click.BadParameter("--depth must be between 0 and 50", param_hint="--depth")
options = BrowseChildrenOptions(
category_ids=tuple(kwargs.get("category_ids") or ()),
template_chain_contains=tuple(kwargs.get("template_chain_contains") or ()),