Fix conversation ID validation to return 400 instead of 500 for long IDs (#10496)

openhands/server/utils.py

@@ -13,6 +13,50 @@ from openhands.storage.conversation.conversation_store import ConversationStore
 from openhands.storage.data_models.conversation_metadata import ConversationMetadata
 
 
+def validate_conversation_id(conversation_id: str) -> str:
+    """
+    Validate conversation ID format and length.
+
+    Args:
+        conversation_id: The conversation ID to validate
+
+    Returns:
+        The validated conversation ID
+
+    Raises:
+        HTTPException: If the conversation ID is invalid
+    """
+    # Check length - UUID hex is 32 characters, allow some flexibility but not excessive
+    if len(conversation_id) > 100:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail='Conversation ID is too long',
+        )
+
+    # Check for null bytes and other problematic characters
+    if '\x00' in conversation_id:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail='Conversation ID contains invalid characters',
+        )
+
+    # Check for path traversal attempts
+    if '..' in conversation_id or '/' in conversation_id or '\\' in conversation_id:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail='Conversation ID contains invalid path characters',
+        )
+
+    # Check for control characters and newlines
+    if any(ord(c) < 32 for c in conversation_id):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail='Conversation ID contains control characters',
+        )
+
+    return conversation_id
+
+
 async def get_conversation_store(request: Request) -> ConversationStore | None:
     conversation_store: ConversationStore | None = getattr(
         request.state, 'conversation_store', None