Skip to content

[BUG] explicitly allow extra params#6534

Merged
kylediaz merged 5 commits intomainfrom
kylediaz03-03-_bug_explicitly_allow_extra_params
Mar 7, 2026
Merged

[BUG] explicitly allow extra params#6534
kylediaz merged 5 commits intomainfrom
kylediaz03-03-_bug_explicitly_allow_extra_params

Conversation

@kylediaz
Copy link
Copy Markdown
Contributor

@kylediaz kylediaz commented Mar 3, 2026
edited
Loading

pydantic's default behavior should be to ignore extra params. In practice, we see it error if extra params are provided

https://docs.pydantic.dev/latest/concepts/models/#extra-data

This explicitly sets the "extra" param

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 3, 2026

Reviewer Checklist

Please leverage this checklist to ensure your code review is thorough before approving

Testing, Bugs, Errors, Logs, Documentation

  • Can you think of any use case in which the code does not behave as intended? Have they been tested?
  • Can you think of any inputs or external events that could break the code? Is user input validated and safe? Have they been tested?
  • If appropriate, are there adequate property based tests?
  • If appropriate, are there adequate unit tests?
  • Should any logging, debugging, tracing information be added or removed?
  • Are error messages user-friendly?
  • Have all documentation changes needed been made?
  • Have all non-obvious changes been commented?

System Compatibility

  • Are there any potential impacts on other parts of the system or backward compatibility?
  • Does this change intersect with any items on our roadmap, and if so, is there a plan for fitting them together?

Quality

  • Is this code of a unexpectedly high quality (Readability, Modularity, Intuitiveness)

@kylediaz Graphite App
Copy link
Copy Markdown
Contributor Author

kylediaz commented Mar 3, 2026

This stack of pull requests is managed by Graphite. Learn more about stacking.

@kylediaz kylediaz requested a review from rescrv March 3, 2026 22:33
@kylediaz kylediaz marked this pull request as ready for review March 3, 2026 22:33
@propel-code-bot
Copy link
Copy Markdown
Contributor

propel-code-bot bot commented Mar 3, 2026
edited
Loading

It also adds tests to validate environment overrides and that extra parameters are safely ignored while preserving expected access behavior.

Possible Issues

• Ignoring extra params may mask configuration typos; ensure this is acceptable for Settings usage.

This summary was automatically generated by @propel-code-bot

propel-code-bot[bot]

This comment was marked as outdated.

Sign in to view

@kylediaz kylediaz mentioned this pull request Mar 3, 2026
Open
propel-code-bot[bot]
propel-code-bot bot reviewed Mar 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@propel-code-bot propel-code-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change flags potential security risk from silently ignoring unknown settings keys.

Status: Changes Suggested | Risk: Medium

Issues Identified & Suggestions
  • Ignoring unknown config keys may hide typos; consider safer filtering: chromadb/config.py
Review Details

📁 2 files reviewed | 💬 1 comments

👍 / 👎 individual comments to help improve reviews for you

chromadb/config.py
return val

model_config = {"env_file": ".env", "env_file_encoding": "utf-8"}
model_config = {"env_file": ".env", "env_file_encoding": "utf-8", "extra": "ignore"}
Copy link
Copy Markdown
Contributor

@propel-code-bot propel-code-bot bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important

[Security] Enabling extra='ignore' allows configuration typos to pass silently, which can be dangerous for security settings. For example, if a user misspells chroma_server_ssl_enabled=True as chroma_server_ssl_enabld=True, the setting will be ignored and the server will start without SSL (defaulting to False).

Ensure this trade-off is acceptable for your use case. If this is primarily to handle specific known extra parameters, filtering them before initialization might be safer than globally ignoring all unknown fields.

Context for Agents 
Enabling `extra='ignore'` allows configuration typos to pass silently, which can be dangerous for security settings. For example, if a user misspells `chroma_server_ssl_enabled=True` as `chroma_server_ssl_enabld=True`, the setting will be ignored and the server will start without SSL (defaulting to False).

Ensure this trade-off is acceptable for your use case. If this is primarily to handle specific known extra parameters, filtering them before initialization might be safer than globally ignoring all unknown fields.

File: chromadb/config.py
Line: 320

@blacksmith-sh

This comment has been minimized.

Sign in to view
@kylediaz kylediaz merged commit 7a3b397 into main Mar 7, 2026
128 of 130 checks passed
@kylediaz kylediaz mentioned this pull request Mar 7, 2026
Merged
itaismith pushed a commit that referenced this pull request Mar 8, 2026
@kylediaz
[RELEASE] Python 1.5.4 (#6585)
e0525a2 
#6534
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@propel-code-bot propel-code-bot[bot] propel-code-bot[bot] left review comments

@rescrv rescrv rescrv approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kylediaz @rescrv