You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
1. Remote tasks stuck after single-node restart (critical)
When Semaphore restarts while remote runner tasks are still executing, TaskPool.GetTask only hydrated from the database in HA mode. On a single-node deployment the in-memory pool is empty after restart, so UpdateRunner silently dropped all progress reports. Tasks remained stuck in running in the database even after the runner completed successfully.
Trigger: Restart the Semaphore server (upgrade, crash, deploy) while one or more remote runner tasks are actively executing.
2. History page crash on websocket events (high)
History.vue called this.items.some() without a null guard when handling websocket updates. If an update arrived before the first paginated load finished (or after a failed load), the History view threw TypeError: Cannot read properties of null.
Trigger: Open project History while tasks are actively updating; websocket event arrives before /tasks/last returns.
Root cause
HA work added HydrateTaskRunnerFromDB behind an util.HAEnabled() guard in GetTask, leaving single-node restarts without the same recovery path already used across HA nodes.
Task pagination added websocket reload throttling to History.vue but omitted the null guards already present in TaskList.vue.
Fix and validation
Always hydrate from DB in GetTask when a task is not in the in-memory pool (same behavior HA already relied on).
Mirror TaskList.vue null guards and throttle state initialization in History.vue.
GetTask only hydrated from the database when HA was enabled, so after a
single-node restart the in-memory pool was empty while remote runners
kept executing. UpdateRunner dropped progress for those tasks, leaving
them stuck in 'running' forever.
Also guard History.vue websocket handling against null items before the
first page load completes (matching TaskList.vue), preventing a crash on
the project History view.
Co-authored-by: Denis Gukov <fiftin@outlook.com>
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Security review
Outcome: No medium, high, or critical vulnerabilities found.
Reviewed the added/modified code in services/tasks/TaskPool.go, api/runners/runners_test.go, and web/src/views/project/History.vue.
TaskPool.GetTask hydration change
The PR removes the util.HAEnabled() guard so HydrateTaskRunnerFromDB runs whenever a task is absent from the in-memory pool (e.g. after a single-node restart). This expands an existing HA code path; it does not add a new externally reachable entry point.
Traced the primary sink (UpdateRunner → taskPool.GetTask → status/log updates / FinalizeRemoteTask). Existing controls remain in place:
Authentication:RunnerMiddleware requires a valid X-Runner-Token before UpdateRunner runs.
Authorization:tsk.Task.RunnerID must match the authenticated runner; mismatches are added to TerminatedJobs and skipped.
State guards: finished tasks are rejected; invalid statuses return 400; TryFinalize deduplicates terminal finalization.
A runner cannot use hydration to update tasks assigned to other runners or bypass runner authentication.
History.vue null-safety
The websocket handler changes only add null guards (this.items != null, this.items || []). They prevent runtime errors when the list is uninitialized and do not introduce new rendering of attacker-controlled data.
Prior automation threads
No unresolved security-review threads were present on this PR.
The reason will be displayed to describe this comment to others. Learn more.
Keep GetTask scoped to active tasks
In single-node mode this changes GetTask from a queue/running lookup into “load any DB row”. RemoveTask treats any nonnil result from taskPool(r).GetTask as an active task and returns 400 before deleting (checked api/projects/tasks.go:423-434), so completed tasks that are no longer queued or running now hydrate here and cannot be deleted. Consider keeping this fallback on a runner-progress-specific path, or filtering it to unfinished remote-runner tasks so inactive historical tasks still return nil.
The reason will be displayed to describe this comment to others. Learn more.
Security review
Outcome: No medium, high, or critical vulnerabilities found.
Re-reviewed the PR after the latest synchronize (head 9ba363ae), including services/tasks/TaskPool.go, api/runners/runners_test.go, and web/src/views/project/History.vue.
TaskPool.GetTask hydration change
Removing the util.HAEnabled() guard expands an existing HA code path so HydrateTaskRunnerFromDB runs whenever a task is absent from the in-memory pool (e.g. after a single-node restart). This does not introduce a new externally reachable entry point.
Authentication:RunnerMiddleware requires a valid X-Runner-Token before UpdateRunner runs.
Authorization:tsk.Task.RunnerID must match the authenticated runner; mismatches are added to TerminatedJobs and skipped (api/runners/runners.go).
State guards: finished tasks are rejected; invalid statuses return 400; TryFinalize deduplicates terminal finalization.
A runner cannot use hydration to update tasks assigned to other runners or bypass runner authentication.
History.vue null-safety
Websocket handler changes only add null guards (this.items != null, this.items || []). They prevent runtime errors when the list is uninitialized and do not introduce new rendering of attacker-controlled data.
Prior automation threads
No unresolved security-review threads from earlier automation runs. Prior assessment validated on the updated head commit.
Sent by Cursor Automation: Find vulnerabilities
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
Bug and impact
1. Remote tasks stuck after single-node restart (critical)
When Semaphore restarts while remote runner tasks are still executing,
TaskPool.GetTaskonly hydrated from the database in HA mode. On a single-node deployment the in-memory pool is empty after restart, soUpdateRunnersilently dropped all progress reports. Tasks remained stuck inrunningin the database even after the runner completed successfully.Trigger: Restart the Semaphore server (upgrade, crash, deploy) while one or more remote runner tasks are actively executing.
2. History page crash on websocket events (high)
History.vuecalledthis.items.some()without a null guard when handling websocket updates. If an update arrived before the first paginated load finished (or after a failed load), the History view threwTypeError: Cannot read properties of null.Trigger: Open project History while tasks are actively updating; websocket event arrives before
/tasks/lastreturns.Root cause
HydrateTaskRunnerFromDBbehind anutil.HAEnabled()guard inGetTask, leaving single-node restarts without the same recovery path already used across HA nodes.History.vuebut omitted the null guards already present inTaskList.vue.Fix and validation
GetTaskwhen a task is not in the in-memory pool (same behavior HA already relied on).TaskList.vuenull guards and throttle state initialization inHistory.vue.TestUpdateRunner_RunningTaskInDBButNotInPoolAcceptedcovering post-restart runner completion.