From 5b1d7a8d5a6a4ccc98b3fafc92208b42640161a6 Mon Sep 17 00:00:00 2001
From: SAY-5 <say.apm35@gmail.com>
Date: Mon, 11 May 2026 22:33:36 -0700
Subject: [PATCH] fix(server): return 400 on malformed assetIds query parameter
 (#502)

---
 server/app/interfaces/repository.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/server/app/interfaces/repository.py b/server/app/interfaces/repository.py
index 713023d0..40930584 100644
--- a/server/app/interfaces/repository.py
+++ b/server/app/interfaces/repository.py
@@ -255,9 +255,17 @@ def _get_shells(self, request: Request) -> Tuple[Iterator[model.AssetAdministrat
 
             for asset_id in asset_ids:
                 asset_id_json = base64url_decode(asset_id)
-                asset_dict = json.loads(asset_id_json)
-                name = asset_dict["name"]
-                value = asset_dict["value"]
+                try:
+                    asset_dict = json.loads(asset_id_json)
+                except json.JSONDecodeError as e:
+                    raise BadRequest(f"Invalid assetIds query parameter: {e}") from e
+                if not isinstance(asset_dict, dict):
+                    raise BadRequest("Invalid assetIds query parameter: expected a JSON object.")
+                try:
+                    name = asset_dict["name"]
+                    value = asset_dict["value"]
+                except KeyError as e:
+                    raise BadRequest(f"Invalid assetIds query parameter: missing field {e}") from e
 
                 if name == "specificAssetId":
                     decoded_specific_id = HTTPApiDecoder.json_list(value, model.SpecificAssetId,