Skip to content

security(CASA-36): implement HPP testing and validation #1041

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
orhanrauf wants to merge 1 commit into
base: main
Choose a base branch
from
Open

security(CASA-36): implement HPP testing and validation #1041

orhanrauf wants to merge 1 commit into from

Conversation

@orhanrauf
Copy link
Contributor

@orhanrauf orhanrauf commented Oct 29, 2025
edited by cubic-dev-ai bot
Loading

CASA-36: HTTP Parameter Pollution (HPP) Testing and Validation

Overview

Implements comprehensive HTTP Parameter Pollution (HPP) testing and documentation to demonstrate Airweave's built-in FastAPI/Pydantic defenses for CASA compliance auditors.

Changes

Integration Tests (backend/tests/integration/api/test_hpp_security.py)

  • 11 focused tests covering all HPP attack vectors
  • Tests parameter validation layer in isolation (mocked DB dependencies)
  • Coverage: query params, JSON body, request size limits, validation errors, edge cases
  • All tests pass consistently when run together (no event loop conflicts)

Security Documentation (backend/docs/security/hpp-protection.md)

  • Complete technical explanation of FastAPI/Pydantic HPP defenses
  • Attack scenarios with mitigations
  • Configuration options and monitoring guidance
  • Compliance statement for auditors

API Security Hardening (backend/airweave/api/v1/endpoints/collections.py)

  • Added ge=0 validation to skip parameter
  • Prevents negative OFFSET SQL errors and potential injection attacks
  • Ensures consistent parameter validation across pagination endpoints

Testing

cd backend
pytest tests/integration/api/test_hpp_security.py -v

Results: ✅ 11/11 tests passing

CASA Compliance

Demonstrates that FastAPI's strict type validation provides comprehensive HPP protection across all parameter sources (query, path, headers, body). Duplicate parameters use last value with type enforcement, triggering 422 errors before reaching business logic.

Auditor Documentation

See backend/docs/security/hpp-protection.md for complete technical details and backend/tests/integration/api/test_hpp_security.py for test coverage.

Summary by cubic

Hardened API against HTTP Parameter Pollution (CASA-36) by enforcing strict pagination parameter validation and adding integration tests that confirm FastAPI/Pydantic block polluted inputs before business logic. Prevents negative OFFSET errors and closes gaps in query/body validation.

  • Bug Fixes
    • Enforced skip >= 0 on pagination endpoints (collections, syncs, jobs, API keys, auth providers, admin organizations).
    • Enforced limit bounds (>= 1 with caps of 1000/10000) for consistent, safe paging.
    • Applied FastAPI Query constraints for type and range validation across endpoints.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Oct 29, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 9 files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@orhanrauf