GraphQL API returns all object if given filter is invalid #9994

New Issue

adam · 2025-12-29T21:25:23+01:00

adam commented

2025-12-29 21:25:23 +01:00

Originally created by @valentinesd on GitHub (Jul 19, 2024).

Originally assigned to: @arthanson on GitHub.

Deployment Type

Self-hosted

NetBox Version

v4.0.7

Python Version

3.10

Steps to Reproduce

My specific use case is vlan_list filtered by site id, but the behavior can be observed across all objects (eg site_list filtered by region_id)
Add VLANs to netbox and perform a GraphQL query similar to below (where 1234567890 is not a valid site)

{
  vlan_list(filters: {site_id: "1234567890"}){
    id
    vid
    site {
      id
    }
    tenant {
      id
    }
  }
}

Expected Behavior

Return an empty list or error, as the filter is not satisfied

Observed Behavior

Returns all objects

Originally created by @valentinesd on GitHub (Jul 19, 2024). Originally assigned to: @arthanson on GitHub. ### Deployment Type Self-hosted ### NetBox Version v4.0.7 ### Python Version 3.10 ### Steps to Reproduce My specific use case is vlan_list filtered by site id, but the behavior can be observed across all objects (eg site_list filtered by region_id) Add VLANs to netbox and perform a GraphQL query similar to below (where 1234567890 is not a valid site) ``` { vlan_list(filters: {site_id: "1234567890"}){ id vid site { id } tenant { id } } } ``` ### Expected Behavior Return an empty list or error, as the filter is not satisfied ### Observed Behavior Returns all objects

adam added the type: bug status: accepted topic: GraphQL severity: medium labels 2025-12-29 21:25:23 +01:00

adam closed this issue

2025-12-29 21:25:23 +01:00

adam commented

2025-12-29 21:25:24 +01:00

@jeremystretch commented on GitHub (Jul 26, 2024):

This appears to be the same behavior as the web UI: Filtering a list of objects by an invalid foreign key to some other object negates the filter and returns an unfiltered list. (The REST API, however, does return an error.)

@jeremystretch commented on GitHub (Jul 26, 2024): This appears to be the same behavior as the web UI: Filtering a list of objects by an invalid foreign key to some other object negates the filter and returns an unfiltered list. (The REST API, however, does return an error.)

adam commented

2025-12-29 21:25:24 +01:00

@arthanson commented on GitHub (Jul 29, 2024):

I think some extra logic would be needed here: https://github.com/netbox-community/netbox/blob/develop/netbox/netbox/graphql/filter_mixins.py#L204 as it is just returning the filterset which is returning all the items, REST must have specific logic to catch this case., will need to be ported here.

@arthanson commented on GitHub (Jul 29, 2024): I think some extra logic would be needed here: https://github.com/netbox-community/netbox/blob/develop/netbox/netbox/graphql/filter_mixins.py#L204 as it is just returning the filterset which is returning all the items, REST must have specific logic to catch this case., will need to be ported here.

Sign in to join this conversation.

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#9994