lhumina_code/hero_aibroker
4
0
Fork 0
Code Issues 65 Pull requests 2 Projects Releases 4 Packages Wiki Activity Actions

Correctness: Chat handler uses #[serde(default)] silently masking missing required fields #99

New issue
Open
opened 2026-05-11 13:49:52 +00:00 by thabeta · 0 comments
thabeta commented 2026-05-11 13:49:52 +00:00
Owner
Copy link

Severity: Medium

Location

crates/hero_aibroker_services/src/services/hero/types.rs and wire format handlers

Finding

Many request types use #[serde(default)] on fields that should be required:

#[derive(Deserialize)]
pub struct ChatRequest {
    pub model: String,
    #[serde(default)]
    pub messages: Vec<Message>,  // defaults to empty vec
    #[serde(default)]
    pub stream: bool,
    // ...
}

An empty messages array is silently accepted and forwarded to the provider, which will likely reject it.

Recommendation

  • Validate required fields explicitly before forwarding
  • Return 400 Bad Request with specific field errors
  • Don't use #[serde(default)] on semantically-required fields
## Severity: Medium ## Location `crates/hero_aibroker_services/src/services/hero/types.rs` and wire format handlers ## Finding Many request types use `#[serde(default)]` on fields that should be required: ```rust #[derive(Deserialize)] pub struct ChatRequest { pub model: String, #[serde(default)] pub messages: Vec<Message>, // defaults to empty vec #[serde(default)] pub stream: bool, // ... } ``` An empty `messages` array is silently accepted and forwarded to the provider, which will likely reject it. ## Recommendation - Validate required fields explicitly before forwarding - Return 400 Bad Request with specific field errors - Don't use `#[serde(default)]` on semantically-required fields
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
main
development_align_chat_drop_sdk_specs
development_drop_stale_openrpc_artifacts
latest
lab-latest
v0.1.1
v0.1.0
Labels
Clear labels   
prio_critical

   
prio_low

   
type_bug

   
type_contact

   
type_issue

   
type_lead

   
type_question

   
type_story

   
type_task
No labels
prio_critical
prio_low
type_bug
type_contact
type_issue
type_lead
type_question
type_story
type_task
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/hero_aibroker#99
No description provided.