Skip to content

fix: server workflow API TOCTOU races and misc issues #355

Merged
pradeeban merged 1 commit intoControlCore-Project:devfrom
avinxshKD:fix/server-toctou-races
Mar 1, 2026
Merged

fix: server workflow API TOCTOU races and misc issues #355
pradeeban merged 1 commit intoControlCore-Project:devfrom
avinxshKD:fix/server-toctou-races

Conversation

@avinxshKD
Copy link

@avinxshKD avinxshKD commented Mar 1, 2026
edited
Loading

Closes #354

insert and update were doing read-then-write as separate ops so two concurrent saves could silently clobber each other. Switched both to find_one_and_update with the hash in the filter (atomic), added a unique index on serverID so the insert retry loop is also race-free, swapped random for secrets, added MAX_CONTENT_LENGTH, fixed bare except:, and added POST tests since there were none.

All tests are passing (4+ 5 new test)

image

@avinxshKD
Copy link
Author

avinxshKD commented Mar 1, 2026

Hey @pradeeban @mayureshkothare found this while writing the tests, get_random_string is still a method on the class but it doesn't use self at all, could just be a module-level function. not blocking anything but might be worth cleaning up separately.

lmk if you have any suggestions and guidance, thanks :p

@pradeeban
Copy link
Member

pradeeban commented Mar 1, 2026

@avinxshKD ok, pls clean that up separately.

@pradeeban pradeeban merged commit 7181e6e into ControlCore-Project:dev Mar 1, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@avinxshKD @pradeeban