issues Search Results · language:Dune language:TypeScript language:JavaScript language:Java linked:pr language:TypeScript
Filter by
6.6M results
Category: Code quality / latent bug
Two small, clearly-correct cleanups:
1. Dead ROLE_ASSIGNMENT branches — backend/app/routers/user_permissions.py:44, 67
if g.object_type == ROLE_ASSIGNMENT :
...
tech-debt
EdwardArchive
Impact: High
# backend/app/utils/role_helpers.py:30-47
def get_parent_roles(conn, role_name):
parents = []
try:
rows = execute_query(conn, SELECT FROM_ROLE FROM sys.role_edges WHERE TO_ROLE ...
performance
Impact: High
Every /api/admin/privileges/* request calls _collect(...).collect(), which re-scans the entire org from scratch — there
is no cache.
# backend/app/services/admin/sys_collector.py:23-68
rows ...
performance
Impact: High
Every API request opens a fresh TCP connection + MySQL auth handshake + SET ROLE ALL before any real query. There is no
pooling.
# backend/app/dependencies.py:41-52
def get_db(credentials: ...
performance
Severity: Medium
/api/auth/login opens a real StarRocks connection on every unauthenticated request, with no throttling:
# backend/app/routers/auth.py:20-23
@router.post( /login )
def login(req: LoginRequest): ...
security
Severity: Medium
SHOW CATALOGS is permission-filtered per user, but the result is cached under a constant key shared across all sessions:
# backend/app/routers/user_objects.py:35, 41-52
_catalog_cache: ...
security
Severity: Medium
# backend/app/main.py:49-55
app.add_middleware(
CORSMiddleware,
allow_origins=[ * ],
allow_credentials=True,
allow_methods=[ * ],
allow_headers=[ * ],
)
With allow_credentials=True ...
security
Severity: Medium
User-controlled query params are interpolated into backtick identifiers without safe_identifier, inconsistent with the
rest of the codebase:
# backend/app/routers/user_objects.py
execute_query(conn, ...
security
Severity: High
safe_name() is the project s designated injection guard for SHOW GRANTS FOR ... contexts, but its allowlist includes
the single-quote character, space and -:
# backend/app/utils/sql_safety.py ...
security
Severity: High
The shipped image bakes a publicly-known JWT signing secret, and the app accepts the placeholder default silently:
# Dockerfile
ENV SRPM_JWT_SECRET=change-me-in-production
# backend/app/config.py ...
security
Learn how you can use GitHub Issues to plan and track your work.
Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub IssuesProTip! Restrict your search to the title by using the in:title qualifier.
Learn how you can use GitHub Issues to plan and track your work.
Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub IssuesProTip! Restrict your search to the title by using the in:title qualifier.