core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity

fix(handlers): add rows.Err() checks after all secrets scan loops

Browse Source 
Regression from audit #109: rows.Err() checks were removed from List,
ListGlobal, restartAllAffectedByGlobalKey, and Values between commits
3a30b073 and b25b4fb6. Without these checks, a mid-stream query error
(e.g. connection loss during iteration) is silently ignored and partial
results are returned as if the query succeeded.

Fix: add if err := rows.Err(); err != nil { log.Printf(...) } after
every for rows.Next() loop in secrets.go.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Molecule AI · core-be
2026-05-14 13:38:53 +00:00
committed by claude-ceo-assistant (Claude Opus 4.7 on Hongming's MacBook)
parent cee43a6dd8
commit 420c42a202
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
workspace-server/internal/handlers/secrets.go
+18
View File
@@ -63,6 +63,9 @@ func (h *SecretsHandler) List(c *gin.Context) {
"updated_at": updatedAt,
})
}
if err := rows.Err(); err != nil {
log.Printf("List secrets rows.Err: %v", err)
}
// 2. Global secrets not overridden at workspace level
globalRows, err := db.DB.QueryContext(ctx,
@@ -91,6 +94,9 @@ func (h *SecretsHandler) List(c *gin.Context) {
"updated_at": updatedAt,
})
}
if err := globalRows.Err(); err != nil {
log.Printf("List secrets (global) rows.Err: %v", err)
}
c.JSON(http.StatusOK, secrets)
}
@@ -174,6 +180,9 @@ func (h *SecretsHandler) Values(c *gin.Context) {
out[k] = string(decrypted)
}
}
if err := globalRows.Err(); err != nil {
log.Printf("secrets.Values globalRows.Err: %v", err)
}
}
wsRows, wErr := db.DB.QueryContext(ctx,
@@ -195,6 +204,9 @@ func (h *SecretsHandler) Values(c *gin.Context) {
out[k] = string(decrypted) // workspace override wins over global
}
}
if err := wsRows.Err(); err != nil {
log.Printf("secrets.Values wsRows.Err: %v", err)
}
}
if len(failedKeys) > 0 {
@@ -324,6 +336,9 @@ func (h *SecretsHandler) ListGlobal(c *gin.Context) {
"scope": "global",
})
}
if err := rows.Err(); err != nil {
log.Printf("ListGlobal rows.Err: %v", err)
}
c.JSON(http.StatusOK, secrets)
}
@@ -400,6 +415,9 @@ func (h *SecretsHandler) restartAllAffectedByGlobalKey(key string) {
ids = append(ids, id)
}
}
if err := rows.Err(); err != nil {
log.Printf("restartAllAffectedByGlobalKey rows.Err: %v", err)
}
if len(ids) == 0 {
return
}