You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
db.StoreSession removal: For SQL backends, SqlDb.PermanentConnection() always returns true, so StoreSession only invoked the callback (no per-request connect/close). Supported deployments no longer include BoltDB’s non-permanent session model.
Authentication:helpers.Store(r) still resolves the app-wide store from request context (set in cli/cmd/root.go). Removing the StoreSession wrapper around authenticationHandler does not remove store injection or session validation logic.
Bolt dialect: Explicit bolt / DbDriverBolt paths now fail fast (panic in factory, errors in GetDBConfig / connection string helpers, interactive setup), which is a safe failure mode rather than an authz bypass.
Supply chain:go.etcd.io/bbolt removed from go.mod, reducing native dependency surface.
No new inline comments; nothing met the bar for a documented exploit path with attacker-controlled input to a dangerous sink in this diff.
migrateCmd.PersistentFlags().BoolVar(&migrationArgs.skipTaskOutput, "skip-task-output", false, "Skip task output importing during migration")
migrateCmd.PersistentFlags().BoolVar(&migrationArgs.mergeExistingUsers, "merge-existing-users", false, "Reuse existing users matched by username instead of failing on conflict")
The reason will be displayed to describe this comment to others. Learn more.
Keep BoltDB migration flag wired for first-run path
The migrate command no longer defines a --from-boltdb flag, but the Docker entrypoint still invokes semaphore migrate --from-boltdb=... when SEMAPHORE_MIGRATE_FROM_BOLTDB is set (deployment/docker/server/server-wrapper, first-run migration block). In this state, Cobra treats that argument as an unknown flag and aborts, so first-run container startup fails specifically for users trying to migrate existing BoltDB data.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Security review (automation)
API / data layer: Dropping db.StoreSession around authenticationWithStore, StoreMiddleware, TaskPool, and RemoteJob does not weaken SQL-backed deployments. SqlDb.PermanentConnection() is true, so StoreSession never called Connect/Close for MySQL, PostgreSQL, or SQLite; behavior matches a single long-lived pool.
Dependencies: Removing go.etcd.io/bbolt shrinks the dependency graph (positive).
Supply chain / release integrity: The self-hosted Pro GitHub workflows now clone semaphorepro-module from branch remove_boltdb instead of main. If that change ships on the default branch, beta and tagged release builds would track a feature branch unless reverted—see inline comments. Recommend restoring -b main (or a pinned SHA/tag policy) before merge unless this is an intentional short-lived coordination step with matching governance.
The reason will be displayed to describe this comment to others. Learn more.
Medium — supply chain / release integrity
git clone -b remove_boltdb makes beta (and similarly release) builds pull the private semaphorepro-module from a feature branch instead of main. If merged as-is, future tags would not match the usual “build from reviewed main” bar; a compromised or unreviewed change on that branch would ship into self-hosted Pro artifacts without the normal branch policy.
Impact: Weaker provenance and higher risk of unintended or malicious code in released binaries compared to cloning main or an immutable ref.
The reason will be displayed to describe this comment to others. Learn more.
Medium — supply chain / release integrity
Same as the beta workflow: cloning semaphorepro-module from remove_boltdb instead of main changes what code is eligible to ship in production self-hosted releases. Impact: Release artifacts may diverge from the reviewed main lineage; revert to main or pin an immutable SHA before merge unless explicitly governed.
Outcome: No medium, high, or critical vulnerabilities identified in the added or modified code paths for this diff.
Why prior concerns about StoreSession do not apply:db.StoreSession only invoked Connect/Close when PermanentConnection() was false (BoltDB’s single-writer model). db/sql.SqlDb.PermanentConnection() returns true, so for MySQL, PostgreSQL, and SQLite the callback already ran with no per-request connect/close. Removing StoreSession from api/auth.go, api/router.go, and task services is behavior-equivalent for supported backends and does not remove auth checks or store injection (SetContextValue in cli/cmd/root.go).
Other notes: Dropping go.etcd.io/bbolt is a supply-chain/attack-surface reduction. Config now rejects bolt as a dialect; legacy Bolt-only installs fail closed (availability), not an authz bypass.
Slack summary: PR3876 security pass — no findings (M/H/C). Bolt removal + StoreSession cleanup is neutral for SQL backends; bbolt dependency removed.
Outcome: No medium, high, or critical vulnerabilities were identified in the added or modified application code reviewed for this PR.
What was checked
api/auth.go / api/router.go:db.StoreSession was removed around auth and generic handlers. For SQL stores, SqlDb.PermanentConnection() is always true, so StoreSession did not open or close connections; behavior for supported backends matches the prior no-op path. No change to how credentials, sessions, or API tokens are validated.
services/tasks/*: Same removal of StoreSession wrappers; no new attacker-controlled sinks or permission boundaries.
util/config.go, db/factory/store.go, Docker/compose docs: Bolt removal and dialect validation; no new injection or secret exposure in these edits.
Dependencies:go.etcd.io/bbolt removed — smaller attack surface, no new risky dependency added.
Process note (below reporting threshold):.github/workflows/pro_selfhosted_beta.yml and pro_selfhosted_release.yml clone semaphorepro-module from branch remove_boltdb instead of main. That is reasonable for coordinated work but should be reverted to main before long-lived merge so release/beta builds are not permanently pinned to a feature branch.
Slack summary: PR 3876 (remove boltdb) — no medium+ security findings in reviewed code; optional follow-up: revert Pro-module workflow clone branch to main after integration.
Sent by Cursor Automation: Find vulnerabilities
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fiftin
commented
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
