Issues [highway-workflow-engine]

ID	Title	Status	Priority	Created	Due Date	Actions
#399	MEDIUM: Uncaught ValueError in API integer parsing Multiple API endpoints use int(request.args.get()) without try-except: schedules.py:685, tenant_apps...	closed	medium	2025-12-11 22:44	-	Edit
#398	MEDIUM: Global circuit breaker can be toggled via /tmp flag files config.py:339,343 - Circuit breaker state controlled by /tmp/.highway_circuit_breaker_enabled and di...	closed	medium	2025-12-11 22:44	-	Edit
#397	HIGH: Predictable /tmp file path TOCTOU vulnerability in async_deferred_task async_deferred_task.py:103-105 - Creates predictable /tmp/highway_job_{job_id}.py file path. Attacke...	closed	high	2025-12-11 22:44	-	Edit
#396	LOW: Logger missing f-string prefix in orchestrator failure path orchestrator.py:574 - logger.exception('Task {task_name} failed') missing f-string prefix. Task name...	closed	low	2025-12-11 22:21	-	Edit
#395	MEDIUM: No upper bound validation on timeout duration strings shell_command.py:153-186 - ISO 8601 duration parsing has no max validation. Malicious workflow could...	closed	medium	2025-12-11 22:21	-	Edit
#394	MEDIUM: Sandbox code injection via triple-quote escape bypass sandbox.py:285 - User code escaped with simple replace for triple quotes. Edge cases like backslash-...	closed	medium	2025-12-11 22:21	-	Edit
#393	MEDIUM: Missing tenant isolation in checkpoint queries absurd_client.py:728-764 - get_checkpoints_for_run() queries by owner_run_id without tenant_id filte...	closed	medium	2025-12-11 22:21	-	Edit
#392	MEDIUM: Sandbox bypass via cached sys.modules sandbox/sandbox.py:99-132 - Replaces builtins.__import__ but doesn't clear sys.modules. Banned modul...	closed	medium	2025-12-11 22:21	-	Edit
#391	MEDIUM: SSRF bypass via DNS rebinding (TOCTOU) http_request.py:107-124 - DNS resolved at validation time, but request may resolve to different IP (...	closed	medium	2025-12-11 22:21	-	Edit
#390	HIGH: Unsafe getattr() on user-controlled attribute names variable_resolver.py:314-315 - Uses getattr() with user-controlled segment names. Could expose inter...	closed	high	2025-12-11 22:21	-	Edit
#389	HIGH: NOTIFY SQL injection via unsanitized channel/payload durable_context.py:1683-1698 - NOTIFY uses f-string: cur.execute(f"NOTIFY \"{channel}\", '{payload}'...	closed	high	2025-12-11 22:21	-	Edit
#388	HIGH: Race condition in RBAC ClientKeyManager cache (no thread lock) rbac_manager.py:91-135 - ClientKeyManager._cache is plain dict without thread locks. Comment claims ...	closed	high	2025-12-11 22:21	-	Edit
#387	HIGH: Shell command circuit breaker cache lacks TTL (memory leak) shell_command.py:87-150 - Circuit breaker cache has no TTL or max size, unlike http_request.py which...	closed	high	2025-12-11 22:21	-	Edit
#386	HIGH: time.sleep() in retry logic blocks event loop and is non-deterministic operators.py:116-119 - Retry delay uses synchronous time.sleep() which blocks and is non-determinist...	closed	high	2025-12-11 22:21	-	Edit
#385	CRITICAL: No strict sandbox mode - unsandboxed execution proceeds with warning only sandbox.py:226-232 - When Docker unavailable and not in container, system logs WARNING but executes ...	closed	critical	2025-12-11 22:21	-	Edit
#384	CRITICAL: SQL injection via dynamic table names in absurd_client absurd_client.py uses f-strings for table names in multiple locations (e.g., line 657-664). While qu...	closed	critical	2025-12-11 22:21	-	Edit
#383	CRITICAL: Fail-open encryption allows insecure DB connections db.py:143-146 and db.py:380-384 - When encryption configuration fails, system logs warning but conti...	closed	critical	2025-12-11 22:21	-	Edit
#382	CLEANUP: Remove deprecated SchedulerService (superseded by durable_cron) SchedulerService and scheduler_worker.py are dead code. durable_cron (Issue #19) supersedes them com...	closed	low	2025-12-11 22:12	-	Edit
#381	MEDIUM: Docker containers not killed on timeout (resource leak) sandbox.py:341 - When container.wait() times out, container may still be running. Finally block may ...	closed	medium	2025-12-11 21:54	-	Edit
#380	MEDIUM: Unbounded circuit breaker cache (memory leak) http_request.py:136-199 - Per-workflow circuit breakers in _circuit_breaker_cache never cleaned up. ...	closed	medium	2025-12-11 21:54	-	Edit

Previous Page 21 of 39 Next