Validate update_mask fields in PATCH endpoints against Pydantic models

Vamsi-klu · claude · Vamsi-klu · commit 1acaa2162f1a · 2026-02-28T23:21:54.000-08:00
When update_mask is provided, Pydantic validation was skipped entirely,
allowing invalid field values to bypass validation and go straight to
setattr() on ORM models. Now validation runs regardless of whether
update_mask is provided.

Affected endpoints: variables, connections, dags, pools.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/airflow/api_fastapi/core_api/routes/public/connections.py b/airflow/api_fastapi/core_api/routes/public/connections.py
@@ -199,11 +199,11 @@ def patch_connection(
 
     if update_mask:
         fields_to_update = fields_to_update.intersection(update_mask)
-    else:
-        try:
-            ConnectionBody(**patch_body.model_dump())
-        except ValidationError as e:
-            raise RequestValidationError(errors=e.errors())
+
+    try:
+        ConnectionBody(**patch_body.model_dump(include=fields_to_update))
+    except ValidationError as e:
+        raise RequestValidationError(errors=e.errors())
 
     data = patch_body.model_dump(include=fields_to_update - non_update_fields, by_alias=True)
 
diff --git a/airflow/api_fastapi/core_api/routes/public/dags.py b/airflow/api_fastapi/core_api/routes/public/dags.py
@@ -227,11 +227,11 @@ def patch_dag(
                 status.HTTP_400_BAD_REQUEST, "Only `is_paused` field can be updated through the REST API"
             )
         fields_to_update = fields_to_update.intersection(update_mask)
-    else:
-        try:
-            DAGPatchBody(**patch_body.model_dump())
-        except ValidationError as e:
-            raise RequestValidationError(errors=e.errors())
+
+    try:
+        DAGPatchBody(**patch_body.model_dump(include=fields_to_update))
+    except ValidationError as e:
+        raise RequestValidationError(errors=e.errors())
 
     data = patch_body.model_dump(include=fields_to_update, by_alias=True)
 
diff --git a/airflow/api_fastapi/core_api/routes/public/pools.py b/airflow/api_fastapi/core_api/routes/public/pools.py
@@ -162,13 +162,12 @@ def patch_pool(
     fields_to_update = patch_body.model_fields_set
     if update_mask:
         fields_to_update = fields_to_update.intersection(update_mask)
-        data = patch_body.model_dump(include=fields_to_update, by_alias=True)
-    else:
-        data = patch_body.model_dump(include=fields_to_update, by_alias=True)
-        try:
-            BasePool.model_validate(data)
-        except ValidationError as e:
-            raise RequestValidationError(errors=e.errors())
+
+    data = patch_body.model_dump(include=fields_to_update, by_alias=True)
+    try:
+        BasePool.model_validate(data)
+    except ValidationError as e:
+        raise RequestValidationError(errors=e.errors())
 
     for key, value in data.items():
         setattr(pool, key, value)
diff --git a/airflow/api_fastapi/core_api/routes/public/variables.py b/airflow/api_fastapi/core_api/routes/public/variables.py
@@ -151,11 +151,11 @@ def patch_variable(
     fields_to_update = patch_body.model_fields_set
     if update_mask:
         fields_to_update = fields_to_update.intersection(update_mask)
-    else:
-        try:
-            VariableBody(**patch_body.model_dump())
-        except ValidationError as e:
-            raise RequestValidationError(errors=e.errors())
+
+    try:
+        VariableBody(**patch_body.model_dump(include=fields_to_update))
+    except ValidationError as e:
+        raise RequestValidationError(errors=e.errors())
 
     data = patch_body.model_dump(include=fields_to_update - non_update_fields, by_alias=True)
 
