From a7c481ce8790d0ec8723cca95a7feaf7e33a66b3 Mon Sep 17 00:00:00 2001
From: GareArc <garethcxy@dify.ai>
Date: Fri, 8 May 2026 18:43:23 -0700
Subject: [PATCH] fix(openapi/apps): normalise uuid in session.get; validate
 workspace_id format in query

---
 api/controllers/openapi/apps.py | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/api/controllers/openapi/apps.py b/api/controllers/openapi/apps.py
index 368f4ab1c9..1a98d2c86d 100644
--- a/api/controllers/openapi/apps.py
+++ b/api/controllers/openapi/apps.py
@@ -61,6 +61,19 @@ class AppDescribeQuery(BaseModel):
     fields: set[str] | None = None
     workspace_id: str | None = None
 
+    @field_validator("workspace_id", mode="before")
+    @classmethod
+    def _validate_workspace_id(cls, v: object) -> str | None:
+        if v is None or v == "":
+            return None
+        if not isinstance(v, str):
+            raise ValueError("workspace_id must be a string")
+        try:
+            _uuid.UUID(v)
+        except ValueError:
+            raise ValueError("workspace_id must be a valid UUID")
+        return v
+
     @field_validator("fields", mode="before")
     @classmethod
     def _parse_fields(cls, v: object) -> set[str] | None:
@@ -95,13 +108,14 @@ class AppReadResource(Resource):
             raise NotFound("app not found")
 
         try:
-            _uuid.UUID(app_id)
+            parsed_uuid = _uuid.UUID(app_id)
             is_uuid = True
         except ValueError:
+            parsed_uuid = None
             is_uuid = False
 
         if is_uuid:
-            app = db.session.get(App, app_id)
+            app = db.session.get(App, str(parsed_uuid))  # normalised dashed form
             if not app or app.status != "normal":
                 raise NotFound("app not found")
         else: