BUG: Backend: Backend crashes when password contains null bytes (x00)

[DeveloperAmrit]

Is there an existing issue for this?

• I have searched the existing issues

What happened?

How to reproduce

1. Send this payload to POST /albums/

{
  "name": "Test Album",
  "is_hidden": true,
  "password": "pass\u0000word"
}

Description

Hypothesis fuzz testing revealed that the backend crashes with a 500 Internal Server Error if a user attempts to create or update a hidden album with a password containing a null byte (e.g., "\x00").

Root cause

The bycrypt library used for password hashing throws a ValueError when it encounters a null byte. This exception was not being caught in the database layer, propagating up as an unhandled server error.

Source of crash

• line 130 db_insert_album function in albums.py
• line 135 db_update_album function in albums.py

Expected behaviour
The API should return 422 Unprocessable Entity indicating the input is invalid, rather than crashing the server.

Proposed changes

• Add a field validator in schemas/album.py

I would like to work on this issue.

Record

• I agree to follow this project's Code of Conduct

[github-actions]

👋 Thanks for opening this issue! The maintainers will review it shortly. Till then, do not open any PR. This is a strict rule we like to follow around here :)

[DeveloperAmrit]

I would like to work on this issue