Koko210/miku-discord
1
0
Fork 0
Code Issues 34 Pull Requests Actions Packages Projects Releases Wiki Activity

MEDIUM: No Request Validation on Web UI API #9

New Issue
Open
opened 2026-02-16 22:09:38 +02:00 by Koko210 · 0 comments
Koko210 commented 2026-02-16 22:09:38 +02:00
Owner
Copy Link

The web API endpoints (bot/api.py) do not validate incoming request parameters, allowing invalid or malicious data to reach the bot logic.

Where It Occurs

  • bot/api.py - All API endpoints missing validation
  • bot/api_main.py - API routes

Why This Is a Problem

  1. Security: Malformed input may cause crashes or unexpected behavior
  2. Data Corruption: Invalid data may be written to state files
  3. Poor UX: Users get cryptic errors instead of helpful messages
  4. Debugging: Hard to trace issues without validation

What Can Go Wrong

Scenario 1: Negative GPU Index

  1. User sends POST /api/set_gpu with body {gpu_index: -1}
  2. API endpoint does not validate gpu_index >= 0
  3. Code tries to access array with negative index
  4. IndexError causes API to return 500 error
  5. User gets no helpful error message

Scenario 2: Large Message Payload

  1. User sends POST /api/message with 10MB body
  2. API does not validate payload size
  3. Bot tries to process entire message
  4. Memory consumption spikes
  5. Bot crashes or slows down dramatically

Proposed Fix

Use Pydantic for request validation with schema definitions.

Severity

MEDIUM - Lack of validation causes crashes and poor error messages.

Files Affected

bot/api.py, bot/api_main.py

The web API endpoints (bot/api.py) do not validate incoming request parameters, allowing invalid or malicious data to reach the bot logic. ## Where It Occurs - bot/api.py - All API endpoints missing validation - bot/api_main.py - API routes ## Why This Is a Problem 1. Security: Malformed input may cause crashes or unexpected behavior 2. Data Corruption: Invalid data may be written to state files 3. Poor UX: Users get cryptic errors instead of helpful messages 4. Debugging: Hard to trace issues without validation ## What Can Go Wrong ### Scenario 1: Negative GPU Index 1. User sends POST /api/set_gpu with body {gpu_index: -1} 2. API endpoint does not validate gpu_index >= 0 3. Code tries to access array with negative index 4. IndexError causes API to return 500 error 5. User gets no helpful error message ### Scenario 2: Large Message Payload 1. User sends POST /api/message with 10MB body 2. API does not validate payload size 3. Bot tries to process entire message 4. Memory consumption spikes 5. Bot crashes or slows down dramatically ## Proposed Fix Use Pydantic for request validation with schema definitions. ## Severity MEDIUM - Lack of validation causes crashes and poor error messages. ## Files Affected bot/api.py, bot/api_main.py
Koko210 reopened this issue 2026-02-16 22:17:02 +02:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Koko210
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Koko210/miku-discord#9
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?