Issues [highway-workflow-engine]

ID	Title	Status	Priority	Created	Due Date	Actions
#406	absurd_client.py inconsistent use of _table() method vs f-strings engine/absurd_client.py:1023,1107 uses f-strings for table names despite having safe _table() method...	closed	low	2025-12-12 05:49	-	Edit
#405	orchestrator.py uses f-strings for SQL table names instead of sql.Identifier() engine/orchestrator.py:277,372,553,762,794,988 uses f-strings for absurd table names. While queue_na...	closed	low	2025-12-12 05:49	-	Edit
#404	assert statements in db.py can be bypassed with Python -O flag engine/db.py:445-448 uses assert for validation. When Python runs with -O flag, asserts are stripped...	closed	low	2025-12-12 05:49	-	Edit
#403	circuit_breaker_reset.py CLI still uses /tmp flag files engine/cli/circuit_breaker_reset.py:13-18 still uses /tmp flag file mechanism that was supposed to b...	closed	medium	2025-12-12 05:49	-	Edit
#402	Weak PRNG in tracing.py for trace/span ID generation engine/utils/tracing.py:94,103 uses random.getrandbits() instead of secrets module for trace/span ID...	closed	medium	2025-12-12 05:49	-	Edit
#401	LOW: API pagination offset unbounded for DoS API endpoints (logs.py:1220, schedules.py:685) don't bound offset. Large offset=999999999 forces Pos...	closed	low	2025-12-11 22:44	-	Edit
#400	LOW: Bare except clause in sandbox catches SystemExit sandbox.py:306 - Uses bare 'except:' catching all exceptions including SystemExit and KeyboardInterr...	closed	low	2025-12-11 22:44	-	Edit
#399	MEDIUM: Uncaught ValueError in API integer parsing Multiple API endpoints use int(request.args.get()) without try-except: schedules.py:685, tenant_apps...	closed	medium	2025-12-11 22:44	-	Edit
#398	MEDIUM: Global circuit breaker can be toggled via /tmp flag files config.py:339,343 - Circuit breaker state controlled by /tmp/.highway_circuit_breaker_enabled and di...	closed	medium	2025-12-11 22:44	-	Edit
#397	HIGH: Predictable /tmp file path TOCTOU vulnerability in async_deferred_task async_deferred_task.py:103-105 - Creates predictable /tmp/highway_job_{job_id}.py file path. Attacke...	closed	high	2025-12-11 22:44	-	Edit
#396	LOW: Logger missing f-string prefix in orchestrator failure path orchestrator.py:574 - logger.exception('Task {task_name} failed') missing f-string prefix. Task name...	closed	low	2025-12-11 22:21	-	Edit
#395	MEDIUM: No upper bound validation on timeout duration strings shell_command.py:153-186 - ISO 8601 duration parsing has no max validation. Malicious workflow could...	closed	medium	2025-12-11 22:21	-	Edit
#394	MEDIUM: Sandbox code injection via triple-quote escape bypass sandbox.py:285 - User code escaped with simple replace for triple quotes. Edge cases like backslash-...	closed	medium	2025-12-11 22:21	-	Edit
#393	MEDIUM: Missing tenant isolation in checkpoint queries absurd_client.py:728-764 - get_checkpoints_for_run() queries by owner_run_id without tenant_id filte...	closed	medium	2025-12-11 22:21	-	Edit
#392	MEDIUM: Sandbox bypass via cached sys.modules sandbox/sandbox.py:99-132 - Replaces builtins.__import__ but doesn't clear sys.modules. Banned modul...	closed	medium	2025-12-11 22:21	-	Edit
#391	MEDIUM: SSRF bypass via DNS rebinding (TOCTOU) http_request.py:107-124 - DNS resolved at validation time, but request may resolve to different IP (...	closed	medium	2025-12-11 22:21	-	Edit
#390	HIGH: Unsafe getattr() on user-controlled attribute names variable_resolver.py:314-315 - Uses getattr() with user-controlled segment names. Could expose inter...	closed	high	2025-12-11 22:21	-	Edit
#389	HIGH: NOTIFY SQL injection via unsanitized channel/payload durable_context.py:1683-1698 - NOTIFY uses f-string: cur.execute(f"NOTIFY \"{channel}\", '{payload}'...	closed	high	2025-12-11 22:21	-	Edit
#388	HIGH: Race condition in RBAC ClientKeyManager cache (no thread lock) rbac_manager.py:91-135 - ClientKeyManager._cache is plain dict without thread locks. Comment claims ...	closed	high	2025-12-11 22:21	-	Edit
#387	HIGH: Shell command circuit breaker cache lacks TTL (memory leak) shell_command.py:87-150 - Circuit breaker cache has no TTL or max size, unlike http_request.py which...	closed	high	2025-12-11 22:21	-	Edit

Previous Page 21 of 39 Next