Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Dependecies are available as query params?
See original GitHub issueExample
Here is a code from the official Fastapi relational tutorial
@app.get("/users/", response_model=List[schemas.User])
def read_users(skip: int = 0, limit: int = 100, db: Session = Depends(get_db)):
users = crud.get_users(db, skip=skip, limit=limit)
return users
Description
db is supposed to be a SQLAlchemy session, but it will be also available to be set as a URL parameters. This seems like potentially a security issue. Basically one can pass GET /users/?db=foo which will cause an internal server error because “foo” does not have query or add attributes that are needed from a SQLAlchemy session. The question is if there can be a string that can be passed as db and gets de-serialized into a Python object that has the Session interface? How can the “db” dependency be inaccessible as a http query param?
Environment
- OS: Linux
- FastAPI Version 0.61.2
To know the FastAPI version use:
python -c "import fastapi; print(fastapi.__version__)"
- Python version: 3.8.6
Issue Analytics
- State:
- Created 3 years ago
- Comments:13 (8 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I see. It was not clear to me that the dependencies’ parameters will end up as URL params. Is it mentioned in the docs? Perhaps I missed it. Thanks for the clarification.
Those two lines aren’t your issue - the session=None parameter you have declared is.
That is how you declare URL parameters in FastAPI, even in subdependencies - this is not a bug