bug(server): replay upload uses client-supplied recorded_at for leaderboard — allows timestamp spoofing #74

New Issue

Closed

opened 2026-05-28 21:36:22 +00:00 by funman300 · 1 comment

funman300 commented 2026-05-28 21:36:22 +00:00

Owner

Copy Link

Copy Source

Bug

In solitaire_server/src/replays.rs (lines 159–181), when a winning replay is uploaded and the mode is "Classic", the leaderboard row's recorded_at column is updated from header.recorded_at — a value supplied by the client:

sqlx::query!(
    r#"UPDATE leaderboard
       SET best_score     = ?,
           best_time_secs = ?,
           recorded_at    = ?   -- ← header.recorded_at (client-controlled!)
       ..."
    header.final_score,
    header.time_seconds,
    header.recorded_at,   // ← client-supplied date
    ...

Impact

A client can supply any arbitrary recorded_at string (past or future) and it will be stored verbatim in the leaderboard. Players could backdate scores to appear longer-standing, or future-date them.

Fix

Use the server-computed received_at timestamp (already available in the handler) instead of the client-supplied header.recorded_at when updating the leaderboard row.

## Bug In `solitaire_server/src/replays.rs` (lines 159–181), when a winning replay is uploaded and the mode is `"Classic"`, the leaderboard row's `recorded_at` column is updated from `header.recorded_at` — a value supplied by the client: ```rust sqlx::query!( r#"UPDATE leaderboard SET best_score = ?, best_time_secs = ?, recorded_at = ? -- ← header.recorded_at (client-controlled!) ..." header.final_score, header.time_seconds, header.recorded_at, // ← client-supplied date ... ``` ## Impact A client can supply any arbitrary `recorded_at` string (past or future) and it will be stored verbatim in the leaderboard. Players could backdate scores to appear longer-standing, or future-date them. ## Fix Use the server-computed `received_at` timestamp (already available in the handler) instead of the client-supplied `header.recorded_at` when updating the leaderboard row.

funman300 referenced this issue from a commit 2026-05-28 21:41:32 +00:00

fix(server): accept nil user_id placeholder in push; use received_at for leaderboard (#73, #74)

funman300 commented 2026-05-28 21:42:20 +00:00

Author

Owner

Copy Link

Copy Source

Fix (commit 7eb1181)

The leaderboard recorded_at update in replays.rs now uses the server-computed received_at timestamp instead of the client-supplied header.recorded_at:

// Before — client could supply any timestamp:
sqlx::query!(
    r#"UPDATE leaderboard SET ... recorded_at = ? ..."
    ...
    header.recorded_at,  // ← client-controlled
    ...

// After — server-minted timestamp only:
sqlx::query!(
    r#"UPDATE leaderboard SET ... recorded_at = ? ..."
    ...
    received_at,  // ← computed by the server at upload time
    ...

received_at is already calculated at the top of the upload handler via Utc::now().to_rfc3339() and stored in the replays table, so no additional database calls are needed. Clients can no longer backdate or future-date their leaderboard entries by supplying a crafted recorded_at in the replay JSON.

## Fix (commit `7eb1181`) The leaderboard `recorded_at` update in `replays.rs` now uses the server-computed `received_at` timestamp instead of the client-supplied `header.recorded_at`: ```rust // Before — client could supply any timestamp: sqlx::query!( r#"UPDATE leaderboard SET ... recorded_at = ? ..." ... header.recorded_at, // ← client-controlled ... ``` ```rust // After — server-minted timestamp only: sqlx::query!( r#"UPDATE leaderboard SET ... recorded_at = ? ..." ... received_at, // ← computed by the server at upload time ... ``` `received_at` is already calculated at the top of the `upload` handler via `Utc::now().to_rfc3339()` and stored in the `replays` table, so no additional database calls are needed. Clients can no longer backdate or future-date their leaderboard entries by supplying a crafted `recorded_at` in the replay JSON.

funman300 closed this issue 2026-05-28 21:42:20 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

deploy

docs/card-game-integration

v0.39.1

v0.39.0

v0.38.0

v0.37.0

v0.36.12

v0.36.11

v0.36.10

v0.36.9

v0.36.8

v0.36.7

v0.36.6

v0.36.5

v0.36.4

v0.36.3

v0.36.2

v0.36.1

v0.36.0

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.0

v0.27.0

v0.26.0

v0.25.8

v0.25.7

v0.25.6

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.0

v0.22.4

v0.22.3

v0.22.2

v0.22.1

v0.22.0

v0.21.8

v0.21.7

v0.21.6

v0.21.5

v0.21.4

v0.21.3

v0.21.2

v0.21.1

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

Labels

Clear labels

android

bug

correctness

enhancement

performance

security

server

test

ui

ux

wasm

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

funman300 (Alex)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: funman300/Ferrous-Solitaire#74