[Bug] zvmsdk-wsgi query decorator validates wrong parameters

[dvjsharma]

Summary

The @validation.query_schema decorator always validates against req.GET instead of the handler’s processed argument, causing misvalidation or bypass of intended data transformations. For example:

@validation.query_schema(InspectStatsSchema)
def inspect_stats(self, req, userid_list):
    info = self.client.inspect_stats(userid_list)
    return info

Here, the decorator validates req.GET rather than the userid_list passed to the handler.

As per the reporter,

if _schema_validation_helper(query_params_schema,
                             req.GET.dict_of_lists(),
                             args, kwargs, is_body=False)

the second parameter should be args[2] not req.GET.dict_of_lists
because the args[index] (index to be determined, maybe fixed) is exactly the data we processed in handlers, just like userid_list in following case:

@validation.query_schema(guest.userid_list_array_query)
    def inspect_stats(self, req, userid_list):
        info = self.client.send_request('guest_inspect_stats',
                                        userid_list)
        return info

And req.GET.dict_of_lists() are data passed from url, the value would be very weird.

This problem may affect every validation case of all the query methods.

Launchpad Ref - https://bugs.launchpad.net/python-zvm-sdk/+bug/1747584