Skip to content

Fix potential KeyError in raise_dropbox_error_for_resp and replace eval()#527

Closed
neuralbroker wants to merge 1 commit into
dropbox:mainfrom
neuralbroker:fix/keyerror-and-eval
Closed

Fix potential KeyError in raise_dropbox_error_for_resp and replace eval()#527
neuralbroker wants to merge 1 commit into
dropbox:mainfrom
neuralbroker:fix/keyerror-and-eval

Conversation

@neuralbroker

Copy link
Copy Markdown

1. Fix potential KeyError in raise_dropbox_error_for_resp()

If the server returns a 400 with valid JSON that doesn't contain the 'error' key, accessing
es.json()['error'] raises an unhandled KeyError. Changed to use .get('error') to safely access the key.

Also widened the except clause to catch AttributeError alongside ValueError.

2. Replace eval() with safe string parsing

Using eval() to parse a version string from a file is unnecessary and fragile. Replaced with simple string stripping.

…al() in setup.py

1. Fix potential KeyError in raise_dropbox_error_for_resp() - use .get('error') instead of ['error'] to avoid KeyError when JSON doesn't contain the error key. Also catch AttributeError alongside ValueError.
2. Replace eval() with safe string parsing in setup.py
@CLAassistant

CLAassistant commented Jun 8, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@shuyck

shuyck commented Jun 26, 2026

Copy link
Copy Markdown

Hi @neuralbroker , thank you for reporting this. We've passed this on to our team to review as well, but we can't promise if or when any changes will be merged or implemented. We appreciate you taking the time to contribute to the Python SDK.

AndreyVMarkelov added a commit that referenced this pull request Jul 10, 2026
…e validation (#535)

- Retry the token-refresh POST on 5xx (InternalServerError) using the same
  exponential backoff as request_json_string_with_retry, honoring
  max_retries_on_error. Previously a 5xx during refresh bypassed retries
  entirely (#518).
- raise_dropbox_error_for_resp: use res.json().get('error') and catch
  AttributeError so a 400 body lacking the "error" key raises BadInputError
  instead of KeyError (#527).
- clone(): pass self._raw_user_agent instead of self._user_agent so cloned
  clients don't get the OfficialDropboxPythonSDKv2 suffix appended twice (#526).
- Reorder scope validation to check isinstance before len(), so a non-list
  scope raises BadInputException instead of TypeError, in the client
  constructor, refresh_access_token, and DropboxOAuth2FlowBase (#526).

Adds unit tests for each fix (reproduced as failing tests first).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants