bug(server): leaderboard opt-in check is not atomic — TOCTOU race condition #61

New Issue

Open

opened 2026-05-28 01:51:03 +00:00 by funman300 · 0 comments

funman300 commented 2026-05-28 01:51:03 +00:00

Owner

Copy Link

Copy Source

Bug

In solitaire_server/src/sync.rs, the leaderboard submission path reads the user's opt-in flag and then writes the score in separate database operations. Between the read and the write, another request could change the opt-in status, leading to scores being submitted for users who have since opted out (or vice versa).

Affected file

solitaire_server/src/sync.rs

Fix

Wrap the opt-in check and score insert in a single SQL transaction:

BEGIN;
SELECT leaderboard_opt_in FROM users WHERE id = ? FOR UPDATE;
-- only INSERT if opt_in = true
INSERT INTO leaderboard_scores (...) SELECT ... WHERE opt_in = true;
COMMIT;

Or use a single conditional INSERT with a subquery that checks opt-in atomically.

## Bug In `solitaire_server/src/sync.rs`, the leaderboard submission path reads the user's opt-in flag and then writes the score in separate database operations. Between the read and the write, another request could change the opt-in status, leading to scores being submitted for users who have since opted out (or vice versa). ## Affected file `solitaire_server/src/sync.rs` ## Fix Wrap the opt-in check and score insert in a single SQL transaction: ```sql BEGIN; SELECT leaderboard_opt_in FROM users WHERE id = ? FOR UPDATE; -- only INSERT if opt_in = true INSERT INTO leaderboard_scores (...) SELECT ... WHERE opt_in = true; COMMIT; ``` Or use a single conditional INSERT with a subquery that checks opt-in atomically.

funman300 added the bugsecurityserver labels 2026-05-28 01:51:03 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

deploy

v0.39.0

v0.38.0

v0.37.0

v0.36.12

v0.36.11

v0.36.10

v0.36.9

v0.36.8

v0.36.7

v0.36.6

v0.36.5

v0.36.4

v0.36.3

v0.36.2

v0.36.1

v0.36.0

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.0

v0.27.0

v0.26.0

v0.25.8

v0.25.7

v0.25.6

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.0

v0.22.4

v0.22.3

v0.22.2

v0.22.1

v0.22.0

v0.21.8

v0.21.7

v0.21.6

v0.21.5

v0.21.4

v0.21.3

v0.21.2

v0.21.1

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

Labels

Clear labels

android

bug

correctness

performance

security

server

test

ui

wasm

No Label bug security server

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

funman300 (Alex)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: funman300/Ferrous-Solitaire#61