[GH-ISSUE #951] [BUG/Discussion] Accessing undeclared keys in LUA scripts #2485

New issue

Open

opened 2026-03-15 20:38:38 +03:00 by kerem · 2 comments

kerem commented 2026-03-15 20:38:38 +03:00

Owner

Copy link

Originally created by @pior on GitHub (Oct 30, 2024).
Original GitHub issue: https://github.com/hibiken/asynq/issues/951

Originally assigned to: @hibiken on GitHub.

Describe the bug

I don't know whether this is a bug or not, but there may be an issue with the way this library uses LUA scripts:

Important: to ensure the correct execution of scripts, both in standalone and clustered deployments, all names of keys that a script accesses must be explicitly provided as input key arguments.
The script should only access keys whose names are given as input arguments.

Scripts should never access keys with programmatically-generated names or based on the contents of data structures stored in the database.

https://redis.io/docs/latest/commands/eval/

However, many Asynq LUA scripts are doing exactly that, mostly for the task key:
github.com/hibiken/asynq@3dbda60333/internal/rdb/rdb.go (L227-L238)

Stackoverflow says that specifying the keys is important when using Redis Cluster since it ensures that all keys are on the nodes where the lua script is running: https://stackoverflow.com/a/32091333
But this answer also mentions that the behavior is also undefined on a regular Redis 🤔.

There seems to be a few Github issues related to this: https://github.com/hibiken/asynq/issues/480 https://github.com/hibiken/asynq/issues/724 https://github.com/hibiken/asynq/issues/442

Discussion

I'm not sure whether there is a practical solution, but we should at least know and document this situation.

Originally created by @pior on GitHub (Oct 30, 2024). Original GitHub issue: https://github.com/hibiken/asynq/issues/951 Originally assigned to: @hibiken on GitHub. **Describe the bug** I don't know whether this is a bug or not, but there may be an issue with the way this library uses LUA scripts: > **Important**: to ensure the correct execution of scripts, both in standalone and clustered deployments, all names of keys that a script accesses must be explicitly provided as input key arguments. > The script should only access keys whose names are given as input arguments. > **Scripts should never access keys with programmatically-generated names or based on the contents of data structures stored in the database.** https://redis.io/docs/latest/commands/eval/ However, many Asynq LUA scripts are doing exactly that, mostly for the task key: https://github.com/hibiken/asynq/blob/3dbda603333da7c47449e3c1fc14f3c681ac58a3/internal/rdb/rdb.go#L227-L238 Stackoverflow says that specifying the keys is important when using Redis Cluster since it ensures that all keys are on the nodes where the lua script is running: https://stackoverflow.com/a/32091333 But this answer also mentions that the behavior is also undefined on a regular Redis 🤔. There seems to be a few Github issues related to this: https://github.com/hibiken/asynq/issues/480 https://github.com/hibiken/asynq/issues/724 https://github.com/hibiken/asynq/issues/442 **Discussion** I'm not sure whether there is a practical solution, but we should at least know and document this situation.

kerem added the

bug

investigate

labels 2026-03-15 20:38:38 +03:00

kerem commented 2026-03-15 20:38:49 +03:00

Author

Owner

Copy link

@kamikazechaser commented on GitHub (Oct 31, 2024):

Definitely an anti-pattern against redis recommendations. But in most cases these are dynamic keys being passed, not sure how we can go around these. I'll read up more on this.

<!-- gh-comment-id:2449052407 --> @kamikazechaser commented on GitHub (Oct 31, 2024): Definitely an anti-pattern against redis recommendations. But in most cases these are dynamic keys being passed, not sure how we can go around these. I'll read up more on this.

kerem commented 2026-03-15 20:38:54 +03:00

Author

Owner

Copy link

@kamikazechaser commented on GitHub (Oct 31, 2024):

I think we should remove the line on the README and add a caveat about redis cluster compatibility until we confirm ALL scripts are redis cluster compatible (which isn't the case now).

<!-- gh-comment-id:2449062822 --> @kamikazechaser commented on GitHub (Oct 31, 2024): I think we should remove the line on the README and add a caveat about redis cluster compatibility until we confirm ALL scripts are redis cluster compatible (which isn't the case now).

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/github_actions/golangci/golangci-lint-action-9

dependabot/github_actions/codecov/codecov-action-6

dependabot/github_actions/actions/download-artifact-8

dependabot/github_actions/actions/upload-artifact-7

dependabot/github_actions/actions/checkout-6

dependabot/go_modules/tools/github.com/hibiken/asynq-0.26.0

dependabot/go_modules/tools/github.com/redis/go-redis/v9-9.18.0

dependabot/go_modules/github.com/redis/go-redis/v9-9.18.0

dependabot/go_modules/x/github.com/hibiken/asynq-0.26.0

dependabot/go_modules/tools/github.com/mattn/go-runewidth-0.0.23

dependabot/go_modules/x/github.com/redis/go-redis/v9-9.18.0

dependabot/go_modules/golang.org/x/sys-0.43.0

dependabot/go_modules/tools/github.com/prometheus/client_golang-1.23.2

dependabot/go_modules/google.golang.org/protobuf-1.36.11

dependabot/go_modules/tools/github.com/spf13/pflag-1.0.10

dependabot/go_modules/golang.org/x/time-0.15.0

dependabot/go_modules/x/github.com/prometheus/client_golang-1.23.2

sohail/v0.27.0

pr-1100

next

preview-v0.26.0

sohail/recoverer-fix

sohail/unix-stop-signal

sohail/pm-redis-conn-hotfix

sohail/release-v0.25.0

revert-937-dependabot/go_modules/golang.org/x/time-0.7.0

develop

sohail/changelog/v0.25.0

go-versions

sohail/activate-dependabot

revert-491-master

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.1

v0.22.0

v0.21.0

v0.20.0

v0.19.1

v0.19.0

v0.18.6

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.2

v0.17.1

v0.17.0

v0.16.1

v0.16.0

v0.15.0

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.10.0.rc1

v0.9.4

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.0

v0.3.0

v0.2.2

v0.2.1

v0.2.0

v0.1.0

Labels

Clear labels   

CLI

  

bug

  

designing

  

documentation

  

duplicate

  

enhancement

  

good first issue

  

good first issue

  

help wanted

  

idea

  

invalid

  

investigate

  

needs-more-info

  

performance

  

pr-welcome

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

wontfix

  

work in progress

  

work in progress

  

work-around-available

No labels

CLI

bug

designing

documentation

duplicate

enhancement

good first issue

good first issue

help wanted

idea

invalid

investigate

needs-more-info

performance

pr-welcome

pull-request

question

wontfix

work in progress

work in progress

work-around-available

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/asynq#2485

No description provided.