fix: preserve HTTPException status in update_docling_preset (#1586)#1814
fix: preserve HTTPException status in update_docling_preset (#1586)#1814hunterxtang wants to merge 3 commits into
Conversation
WalkthroughThe deprecated ChangesHTTP Exception Handling Fix
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
e3de2b3 to
cd3713f
Compare
There was a problem hiding this comment.
(1a) [Normal] Raw exception message leaked in 500 response detail string
Problem
- Embedding
str(e)in API response bodies can expose internal implementation details (file paths, library internals, config values, stack-frame fragments) to any caller — a recognized security anti-pattern (OWASP A05:2021 — Security Misconfiguration; CWE-209: Information Exposure Through an Error Message). - The error is already fully captured server-side via
logger.error("Failed to update docling settings", error=str(e)), so no diagnostic value is lost by removingstr(e)from the detail. - Note: This was explicitly called out in the linked issue's own proposed fix (bug: HTTPException(400) swallowed as 500 in update_docling_preset #1586):
The PR applied the
- status_code=500, detail=f"Failed to update docling settings: {str(e)}" + status_code=500, detail="Failed to update docling settings"
except HTTPException: raisepart of that fix but did not carry forward this secondary hardening.
Code References
src/api/settings/endpoints.py:1630— primary (this PR's scope)
Potential Solution
Strip the raw exception from the client-facing detail string:
except Exception as e:
logger.error("Failed to update docling settings", error=str(e))
raise HTTPException(
status_code=500, detail="Failed to update docling settings"
) from e|
|
||
| except HTTPException: | ||
| # Preserve intended HTTP status codes (e.g. 400 for an invalid preset) | ||
| raise |
There was a problem hiding this comment.
(1b) [Minor] No regression test added to guard the fixed behavior
Problem
- The PR fixes a bug where an invalid preset silently produced a 500 instead of the intended 400, but no test was added to assert the corrected behavior.
- Without a test, any future refactor that reorders or widens the
exceptchain could silently reproduce the original bug with no CI signal. - A unit test calling
update_docling_presetdirectly with an invalid preset body and assertingstatus_code=400would require no infra and would be straightforward to add.
Code References
src/api/settings/endpoints.py:1590–1594— theraise HTTPException(status_code=400, ...)path the fix protectstests/unit/test_docling_service.py— closest existing test file; an additional test belongs here or in a newtest_settings_endpoints.py
Potential Solution
import pytest
from fastapi import HTTPException
from unittest.mock import AsyncMock
@pytest.mark.asyncio
async def test_update_docling_preset_invalid_preset_returns_400():
from api.settings.endpoints import update_docling_preset
from api.settings.models import DoclingPresetBody
body = DoclingPresetBody(preset="nonexistent_preset")
with pytest.raises(HTTPException) as exc_info:
await update_docling_preset(body=body, session_manager=AsyncMock(), user=AsyncMock())
assert exc_info.value.status_code == 400|
1a) Removed 1b) Added |
|
Thanks @hunterxtang
|
|
|
mpawlow
left a comment
There was a problem hiding this comment.
Code Review 2
- ✅ Approved / LGTM 🚀
⚠️ Need to resolve E2E / Integration test failures in the workflow before merge (potential infrastructure problems)
There was a problem hiding this comment.
🧹 Nitpick comments (1)
src/api/settings/endpoints.py (1)
1085-1120: ⚖️ Poor tradeoffUnrelated refactoring mixed with the docling preset fix.
The PR objectives (issue
#1586) describe only the HTTPException status preservation fix inupdate_docling_preset(lines 1600-1605). However, this diff also includes an unrelated refactoring of OpenSearch client creation in theonboardingfunction (lines 1085-1120). The AI summary mentions this refactoring but the PR objectives and issue description do not.Mixing unrelated changes in a single PR reduces reviewability and makes rollback more difficult if one change needs to be reverted independently. Consider moving the OpenSearch client refactoring to a separate PR.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/api/settings/endpoints.py` around lines 1085 - 1120, Remove the OpenSearch client creation refactoring from this PR as it is unrelated to the main objective of fixing HTTPException status preservation in the update_docling_preset function. The refactoring of admin_username determination and the associated logging in the onboarding function (lines 1085-1120) should be moved to a separate pull request to maintain focus on the issue `#1586` fix and improve code review clarity.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@src/api/settings/endpoints.py`:
- Around line 1085-1120: Remove the OpenSearch client creation refactoring from
this PR as it is unrelated to the main objective of fixing HTTPException status
preservation in the update_docling_preset function. The refactoring of
admin_username determination and the associated logging in the onboarding
function (lines 1085-1120) should be moved to a separate pull request to
maintain focus on the issue `#1586` fix and improve code review clarity.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 381ed3c7-f2f6-4781-84df-ce38f9d3ee75
📒 Files selected for processing (1)
src/api/settings/endpoints.py
|
🚧 Re-running the GitHub workflow to see if the E2E / Integration test failures are resolved |
|
Still failing...
|
we should probably create a new branch from the release one and apply changes there, @lucaseduoli ? |
|
Fixes #1586
Summary by CodeRabbit