| #544 |
[API/Race] apps.py TOCTOU in create_version
File: api/blueprints/v1/apps.py:790-852. Two separate checks (app ownership, version existence) befo...
|
closed |
high |
2025-12-17 16:29 |
- |
|
| #543 |
[API/Race] apps.py TOCTOU in create_app
File: api/blueprints/v1/apps.py:193-236. SELECT checks for duplicate, then INSERT. Between these ope...
|
closed |
high |
2025-12-17 16:29 |
- |
|
| #542 |
[API/Race] rbac.py TOCTOU in API key validation
File: api/middleware/rbac.py:146-209. _validate_api_key performs SELECT then UPDATE without FOR UPDA...
|
closed |
high |
2025-12-17 16:29 |
- |
|
| #541 |
[API/Perf] auth_wrapper.py N+1 query in get_user_accessible_tenants
File: engine/security/auth_wrapper.py:311-330. Loops through ALL tenants making separate auth query ...
|
closed |
high |
2025-12-17 16:29 |
- |
|
| #540 |
[API/Perf] oauth2.py blocking requests library in async handler
File: api/oauth_handlers/oauth2.py:374-401. Uses synchronous requests.post() and requests.get() in a...
|
closed |
high |
2025-12-17 16:29 |
- |
|
| #539 |
[API/Perf] rbac.py N+1 DB queries - no permission cache
File: api/middleware/rbac.py:659-661. Every permission check opens new DB connection and creates new...
|
closed |
high |
2025-12-17 16:29 |
- |
|
| #538 |
[API/Perf] steps.py full data scan for count-only operation
Fixed: Added row_count() to DataShard, steps.py uses parquet metadata for count-only queries
|
closed |
high |
2025-12-17 16:29 |
- |
|
| #537 |
[API/Perf] signals.py:73 sync function blocks event loop
File: api/blueprints/v1/signals.py:73-94. get_signals is a synchronous function (def get_signals) de...
|
closed |
high |
2025-12-17 16:29 |
- |
|
| #536 |
[API/Race] api/config.py module-level config fetch at import time
File: api/config.py:11. Module-level call to get_engine_config() executes Vault fetch at import time...
|
closed |
critical |
2025-12-17 16:28 |
- |
|
| #535 |
[API/Perf] version.py subprocess in async endpoint without caching
File: api/blueprints/v1/version.py:21-48. subprocess.run for git commands runs synchronously in asyn...
|
closed |
critical |
2025-12-17 16:28 |
- |
|
| #534 |
[API/Race] oauth2.py global config mutation not atomic
File: api/oauth_handlers/oauth2.py:37-39,95-106. Global _OAUTH2_CONFIG_CACHE dict assigned separatel...
|
closed |
critical |
2025-12-17 16:28 |
- |
|
| #533 |
[API/Memory] approvals.py connection leak in ApprovalService factory
File: api/blueprints/v1/approvals.py:28-33. get_approval_service() creates direct connection on ever...
|
closed |
critical |
2025-12-17 16:28 |
- |
|
| #532 |
[API/Bug] workflows.py:2074 - run_id undefined in retry_workflow
File: api/blueprints/v1/workflows.py:2074. Variable run_id is referenced but never defined. Function...
|
closed |
critical |
2025-12-17 16:28 |
- |
|
| #531 |
[API/Memory] signals.py connection leak - every signal operation leaks DB connection
File: api/blueprints/v1/signals.py:26-30. get_signal_service() creates DB connection with autocommit...
|
closed |
critical |
2025-12-17 16:28 |
- |
|
| #530 |
[API/Perf] Multiple database connections for single permission check
**File:** api/middleware/rbac.py:660-680
**Problem:** Permission check and role retrieval use separ...
|
closed |
low |
2025-12-17 15:00 |
- |
|
| #529 |
[API/Data] Validation lists should be frozensets
**Files:**
- api/middleware/validators.py:123 - valid_statuses list
- api/blueprints/v1/apps.py:158-...
|
closed |
low |
2025-12-17 15:00 |
- |
|
| #528 |
[API/Perf] Regex compilation in hot paths - multiple locations
**Files:**
- api/blueprints/v1/steps.py:377 - search regex compiled per-request
- api/blueprints/v1/...
|
closed |
medium |
2025-12-17 15:00 |
- |
|
| #527 |
[API/Perf] Sync subprocess blocks async event loop
**File:** api/blueprints/v1/workflows.py:115-122
**Problem:** `subprocess.run()` is synchronous and...
|
closed |
high |
2025-12-17 15:00 |
- |
|
| #526 |
[API/Perf] JWT config fetched from Vault on EVERY request
**File:** api/oauth_handlers/oauth2.py:115-133
**Problem:** `verify_jwt_token()` calls `get_oauth2_...
|
closed |
critical |
2025-12-17 15:00 |
- |
|
| #525 |
[API/Perf] N+1 query in queue analytics endpoint
**File:** api/blueprints/v1/analytics.py:63-68
**Problem:** For N queues, executes N+1 queries (1 f...
|
closed |
critical |
2025-12-17 15:00 |
- |
|