Skip to content

POST to api/<space-id>/runbookSnapshots has missing validation #9834

New issue
New issue
Open
Open
POST to api/<space-id>/runbookSnapshots has missing validation#9834
Labels
kind/bugThis issue represents a verified problem we are committed to solving
@benPearce1

Description

@benPearce1
benPearce1
opened on Jan 16, 2026

Severity

Not blocking

Version

Unsure

Latest Version

I could reproduce the problem in the latest build

What happened?

Creating a new runbook snapshot via the API can leave the data in an invalid state.

Reproduction

POST to /api/<space-id>/runbookSnapshots or PUT to /api/<space-id>/runbookSnapshots/<snapshot-id>
In the body fill in the RunbookId, but pick a different project Id, not the project id of the runbook.

The response will be a 201 CREATED or 200 OK, but should be a 400 BAD REQUEST

In the below payload, Runbooks-2 is actually in Projects-1

{
  "Name": "Snapshot N3RCY4T",
  "RunbookId": "Runbooks-2",
  "Notes": null,
  "FrozenRunbookProcessId": "RunbookProcess-Runbooks-2-s-1-8WKRY",
  "FrozenProjectVariableSetId": "variableset-Projects-22-s-2-NQ7Z3",
  "Assembled": "2025-03-26T00:40:50.832+00:00",
  "ProjectId": "Projects-1481",
  "LibraryVariableSetSnapshotIds": [],
  "SelectedPackages": [],
  "SelectedGitResources": [],
  "GitReference": null,
  "ProjectVariableSetSnapshotId": "variableset-Projects-22-s-2-NQ7Z3",
  "SpaceId": "Spaces-1"
}

Error and Stacktrace



More Information


This scenario can lead to data integrity issues where referenced library variable sets can be blocked from being deleted due to references that can't easily be deleted.


Workaround


Put the correct matching values for the project and runbook into the request body
Metadata
Metadata
Assignees
No one assigned
    Labels
    kind/bugThis issue represents a verified problem we are committed to solving
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions