Overview
Tracking all active security vulnerabilities flagged by CodeQL static analysis and CVE databases.
Status as of 2026-04-14: None of the Java vulnerabilities have been merged to main. PR #723 addresses Alert #5 only and is approved but not yet merged. The epic now reflects corrected priority order after full code review.
Priority Order
| Priority |
Alert |
Severity |
File |
Description |
Status |
| 1 |
#1018 |
🔴 error |
http-task/.../HttpTask.java:175 |
SSRF — user-controlled URI with no host restrictions; design-level fix needed |
⏳ Open |
| 2 |
#6 |
🔴 error |
core/.../ParametersUtils.java:235 |
ReDoS — catastrophically complex regex runs on every task parameter string |
⏳ Open |
| 3 |
#4 |
🟡 warning |
core/.../DummyPayloadStorage.java:95 |
Path injection — unvalidated path in new File(payloadDir, path); dev-mode only |
⏳ Open |
| 4 |
#5 |
🟡 warning |
test-harness/.../MockExternalPayloadStorage.java:96 |
Path injection — same pattern in test utils; fix in PR #723 (approved) |
🔍 PR #723 |
| 5 |
#3 |
🟡 warning |
postgres-persistence/.../PostgresIndexQueryBuilder.java:69 |
ReDoS — O(n²) regex, short inputs in practice; also compiled per-call not static |
⏳ Open |
Analysis Notes
Alert #2 — SSRF in HttpTask (see #1018)
The HTTP task is by design intended to call external URLs, but has no guards against reaching internal infrastructure (RFC 1918, loopback, cloud metadata endpoints like 169.254.169.254). Requires a configurable allowlist/denylist — not a simple patch. Tracked separately in #1018.
Alert #6 — ReDoS in ParametersUtils (production risk)
Nested lookaheads with backreferences and .*? quantifiers inside them, applied to every string-valued task parameter during workflow execution. Task output from an external worker flows into the next task's input parameters — a crafted string from a worker could trigger O(n²) to exponential backtracking. Real risk in externally-facing deployments. Needs the complex PATTERN regex replaced with a stack-based or simpler iterative parser.
Alert #4 — Path injection in DummyPayloadStorage (low, dev-mode only)
Only active when no external payload storage (S3, GCS, etc.) is configured. getLocation() appends a UUID to the path, making traversal unlikely in practice. Still needs a canonical path check for correctness.
Alert #5 — Path injection in MockExternalPayloadStorage (very low)
getLocation() returns just UUID.randomUUID() + ".json" — ignores the path argument — so paths are always UUID-based. Gated by @ConditionalOnProperty. PR #723 is approved; just needs merging.
Alert #3 — ReDoS in PostgresIndexQueryBuilder (low / borderline false positive)
Regex ([a-zA-Z]+)\\s?(=|>|<|IN)\\s?(.*) can be O(n²) for long all-alpha strings with no operator due to backtracking on [a-zA-Z]+. Query strings are short in practice. Secondary issue: Pattern is compiled inside the constructor on every call instead of being a static field.
CodeQL Alerts — GitHub Actions (workflow permissions)
| Alert |
File |
Status |
| #14, #17, #29 |
.github/workflows/ci.yml |
⏳ Missing permissions blocks on multiple jobs |
| #24 |
.github/workflows/debug-docker-credentials.yml |
⏳ Missing permissions block |
CodeQL Alerts — JavaScript
| Alert |
File |
Description |
Status |
| #23 |
ui-next/.../helpers.ts:194 |
Identity replacement (no-op string replace) |
⏳ Open |
CVE Dependencies
| Issue |
Package |
Vulnerability |
Status |
| #643 |
ws@7.5.8 (ui/) |
CVE-2024-37890 — DoS via excess headers |
⏳ Open |
Legend
- ✅ Merged/Completed
- 🔍 Ready for review (needs human approval/merge)
- 🔄 In progress
- ⏳ Open (work not yet started)
- ☑️ Closed/Superseded
Overview
Tracking all active security vulnerabilities flagged by CodeQL static analysis and CVE databases.
Priority Order
http-task/.../HttpTask.java:175core/.../ParametersUtils.java:235core/.../DummyPayloadStorage.java:95new File(payloadDir, path); dev-mode onlytest-harness/.../MockExternalPayloadStorage.java:96postgres-persistence/.../PostgresIndexQueryBuilder.java:69Analysis Notes
Alert #2 — SSRF in HttpTask (see #1018)
The HTTP task is by design intended to call external URLs, but has no guards against reaching internal infrastructure (RFC 1918, loopback, cloud metadata endpoints like
169.254.169.254). Requires a configurable allowlist/denylist — not a simple patch. Tracked separately in #1018.Alert #6 — ReDoS in ParametersUtils (production risk)
Nested lookaheads with backreferences and
.*?quantifiers inside them, applied to every string-valued task parameter during workflow execution. Task output from an external worker flows into the next task's input parameters — a crafted string from a worker could trigger O(n²) to exponential backtracking. Real risk in externally-facing deployments. Needs the complexPATTERNregex replaced with a stack-based or simpler iterative parser.Alert #4 — Path injection in DummyPayloadStorage (low, dev-mode only)
Only active when no external payload storage (S3, GCS, etc.) is configured.
getLocation()appends a UUID to the path, making traversal unlikely in practice. Still needs a canonical path check for correctness.Alert #5 — Path injection in MockExternalPayloadStorage (very low)
getLocation()returns justUUID.randomUUID() + ".json"— ignores thepathargument — so paths are always UUID-based. Gated by@ConditionalOnProperty. PR #723 is approved; just needs merging.Alert #3 — ReDoS in PostgresIndexQueryBuilder (low / borderline false positive)
Regex
([a-zA-Z]+)\\s?(=|>|<|IN)\\s?(.*)can be O(n²) for long all-alpha strings with no operator due to backtracking on[a-zA-Z]+. Query strings are short in practice. Secondary issue:Patternis compiled inside the constructor on every call instead of being a static field.CodeQL Alerts — GitHub Actions (workflow permissions)
.github/workflows/ci.ymlpermissionsblocks on multiple jobs.github/workflows/debug-docker-credentials.ymlpermissionsblockCodeQL Alerts — JavaScript
ui-next/.../helpers.ts:194CVE Dependencies
ws@7.5.8(ui/)Legend