Skip to content

fix: raise instead of return HTTPBadRequest on JSON decode error in compass_svc#45

Open
deacon-mp wants to merge 1 commit intomasterfrom
fix/compass-http-bad-request-return-vs-raise
Open

fix: raise instead of return HTTPBadRequest on JSON decode error in compass_svc#45
deacon-mp wants to merge 1 commit intomasterfrom
fix/compass-http-bad-request-return-vs-raise

Conversation

@deacon-mp
Copy link
Copy Markdown
Contributor

@deacon-mp deacon-mp commented Mar 16, 2026

Summary

create_adversary_from_layer() in compass_svc.py was returning web.HTTPBadRequest() when a JSONDecodeError was caught, instead of raising it.

Before:

except json.decoder.JSONDecodeError:
    return web.HTTPBadRequest()

After:

except json.decoder.JSONDecodeError:
    raise web.HTTPBadRequest()

Impact

In aiohttp, HTTP exception objects must be raised to be intercepted by the framework and sent as an HTTP response. When the exception object is returned instead, aiohttp receives None from the handler (since the function continues past the return), resulting in a 500 Internal Server Error being returned to the client instead of the intended 400 Bad Request.

Any client that submits a malformed or non-JSON layer file to the create_adversary_from_layer endpoint receives a misleading 500 error rather than a clear 400 error indicating a client-side problem.

Note: the except Exception block at the bottom of the same function correctly uses raise web.HTTPBadRequest() — this fix makes the JSONDecodeError path consistent.

Test plan

  • Submit a non-JSON file to the compass layer upload endpoint and confirm a 400 response is returned
  • Submit a valid JSON layer file and confirm adversary creation still works

@deacon-mp
fix: raise instead of return HTTPBadRequest on JSON decode error
88d8c37 
create_adversary_from_layer() was returning web.HTTPBadRequest() on
JSONDecodeError instead of raising it. In aiohttp, HTTP exception objects
must be raised to be sent to the client; returning them causes the handler
to return None, resulting in a 500 error instead of the intended 400.
@deacon-mp deacon-mp requested a review from Copilot March 16, 2026 03:47
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes create_adversary_from_layer() in app/compass_svc.py to correctly signal client errors to aiohttp by raising web.HTTPBadRequest when JSON parsing fails, instead of returning the exception object.

Changes:

  • Replace return web.HTTPBadRequest() with raise web.HTTPBadRequest() in the JSONDecodeError handler.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

deacon-mp added a commit that referenced this pull request Mar 16, 2026
@deacon-mp
test: add exhaustive pytest coverage for compass plugin
863655e 
Adds 77 tests covering all public methods and endpoints in compass_svc.py
and hook.py. Includes shared fixtures in conftest.py, edge cases for
malformed/empty layers, missing fields, the raise-vs-return HTTPBadRequest
inconsistency (PR #45), and stub auth_svc for isolated testing.
@deacon-mp deacon-mp mentioned this pull request Mar 16, 2026
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@deacon-mp