You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now, various Metaflow Ids (e.g. flow ids, run ids, etc.) are passed straight from client request to Postgres SQL query without any validation.
With the advent of tag mutation CLI, it is now more likely for the service to receive invalid (not necessarily maliciously) ids. E.g. a local metadata service generated run id string based on epoch time ms will overflow on Postgres as a run number.
This issue suggests we harden all IDs referenced in a client request (e.g. could be part of URL params, or body), and have the service respond with appropriate error responses to the user (rather than raw Postgres errors).
The text was updated successfully, but these errors were encountered:
Right now, various Metaflow Ids (e.g. flow ids, run ids, etc.) are passed straight from client request to Postgres SQL query without any validation.
With the advent of tag mutation CLI, it is now more likely for the service to receive invalid (not necessarily maliciously) ids. E.g. a local metadata service generated run id string based on epoch time ms will overflow on Postgres as a run number.
This issue suggests we harden all IDs referenced in a client request (e.g. could be part of URL params, or body), and have the service respond with appropriate error responses to the user (rather than raw Postgres errors).
The text was updated successfully, but these errors were encountered: