Skip to content

fix: task modified after save#266

Merged
yarolegovich merged 3 commits intomainfrom
yarolegovich/fix-task-mutable
Mar 9, 2026
Merged

fix: task modified after save#266
yarolegovich merged 3 commits intomainfrom
yarolegovich/fix-task-mutable

Conversation

@yarolegovich
Copy link
Copy Markdown
Member

@yarolegovich yarolegovich commented Mar 9, 2026

We were capturing a reference to a2a.Task event.
With in-memory consumers this meant that queue readers could potentially see incorrect task state:

  1. Task emitted and reference captured
  2. Artifact update emitted and applied to the task
  3. Event consumers receives the Task event and sees the Artifact already in it

@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist bot commented Mar 9, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical bug where a2a.Task events could be inadvertently modified after being saved, leading to inconsistent state for consumers. By introducing a deep copy operation, the system now ensures that once a task is processed and saved, its state remains immutable, thereby guaranteeing data integrity and preventing race conditions in concurrent processing environments.

Highlights

  • Task Immutability: Implemented a deep copy mechanism for a2a.Task objects before they are saved. This prevents subsequent modifications to the original task reference from affecting the stored state, resolving a potential race condition where in-memory consumers could observe an inconsistent task state.
Changelog
  • internal/taskupdate/manager.go
    • Added a utils.DeepCopy call to create a defensive copy of the a2a.Task object before passing it to mgr.saveTask.
  • internal/taskupdate/manager_test.go
    • Added TestManager_TaskImmutableAfterSave to assert that modifications to a task object after it has been saved do not alter the stored version.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request aims to fix a bug where an a2a.Task object could be mutated after being saved by introducing a deep copy of the task event. However, the fix for the in-place mutation is incomplete as the updateArtifact method still performs in-place modifications. Additionally, a high-severity Insecure Direct Object Reference (IDOR) vulnerability was identified in the InMemory task store (a2asrv/taskstore/inmemory.go), where the Get and Update methods lack authorization checks, allowing any authenticated user to read or modify tasks belonging to others if they know the task ID.

nahapetyan-serob
nahapetyan-serob approved these changes Mar 9, 2026
View reviewed changes
internal/taskupdate/manager_test.go
}
if result2.Task.Status.State != a2a.TaskStateWorking {
t.Fatalf("previous result state changed to = %q, want = %q", result2.Task.Status.State, a2a.TaskStateWorking)
}
Copy link
Copy Markdown
Collaborator

@nahapetyan-serob nahapetyan-serob Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: would it make sense to check the original task's status here as well?

Copy link
Copy Markdown
Member Author

@yarolegovich yarolegovich Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

decided such check would be overly paranoid 🙂

@yarolegovich yarolegovich merged commit c15febe into main Mar 9, 2026
4 checks passed
@yarolegovich yarolegovich deleted the yarolegovich/fix-task-mutable branch March 9, 2026 15:28
@a2a-bot a2a-bot mentioned this pull request Mar 9, 2026
Merged
yarolegovich pushed a commit that referenced this pull request Mar 17, 2026
@a2a-bot
chore(main): release 1.0.0 (#252)
67b1354 
🤖 I have created a release *beep* *boop*
---


##
[1.0.0](v1.0.0-alpha.3...v1.0.0)
(2026-03-17)


### Features

* implement the new rest error handling
([#282](#282))
([a3bda30](a3bda30))
* use v2 suffix for module ID and provide compat support
([#270](#270))
([dd1b6ba](dd1b6ba)),
closes [#250](#250)


### Bug Fixes

* a2asrv jsonrpc Content-Type
([#265](#265))
([2568a46](2568a46))
* bugs before going from alpha
([#279](#279))
([b1f055c](b1f055c))
* GetTaskRequest nil pointer assignment check
([#258](#258))
([440bb79](440bb79))
* inject headers into service params
([#277](#277))
([d33f3bd](d33f3bd)),
closes [#275](#275)
* propagate cancelation signal using task store
([#272](#272))
([5e1d462](5e1d462)),
closes [#245](#245)
* regenerate spec and fix returnImmediately
([#284](#284))
([2eee0b9](2eee0b9))
* task modified after save
([#266](#266))
([c15febe](c15febe))
* taskupdater result mutable
([#274](#274))
([6038d92](6038d92))
* update pushsender
([#256](#256))
([5f7a594](5f7a594))
* use enum values as in the spec
([#261](#261))
([eb98981](eb98981)),
closes [#251](#251)


### Documentation

* **a2asrv:** add Example_* test functions for pkg.go.dev documentation
([#262](#262))
([7888e37](7888e37))
* add example tests a2a
([#240](#240))
([4fe08a9](4fe08a9))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nahapetyan-serob nahapetyan-serob nahapetyan-serob approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yarolegovich @nahapetyan-serob