mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-07-09 16:00:59 +00:00
This commit addresses 5 critical P0 bugs that cause security vulnerabilities, crashes, and data corruption: **P0-1: Recovery Tokens Replay Attack Vulnerability** (recovery_tokens.go:153-159) - **SECURITY CRITICAL**: Single-use recovery tokens could be replayed - **Problem**: Lock upgrade race - two concurrent requests both pass initial Used check 1. Both acquire RLock, see token.Used = false 2. Both release RLock 3. Both acquire Lock and mark token.Used = true 4. Both return true - TOKEN REUSED - **Impact**: Attacker with intercepted token can use it multiple times - **Fix**: Re-check token.Used after acquiring write lock (TOCTOU prevention) **P0-2: WebSocket Hub Concurrent Map Panic** (hub.go:345-347, 376-378) - **Problem**: Initial state goroutine reads h.clients map without lock - Line 345: `if _, ok := h.clients[client]` (NO LOCK) - Main loop writes to h.clients with lock (line 326, 394) - **Impact**: "fatal error: concurrent map read and write" crashes hub - **Fix**: Acquire RLock before all client map reads in goroutine **P0-3: WebSocket Send on Closed Channel Panic** (hub.go:348, 380) - **Problem**: Check client exists, then send - channel can close between - **Impact**: "send on closed channel" panic crashes hub - **Fix**: Hold RLock during both check and send (defensive select already present) **P0-4: CSRF Store Shutdown Data Corruption** (csrf_store.go:189-196) - **Problem**: Stop() calls save() after signaling worker. Both hold only RLock - Worker's final save writes to csrf_tokens.json.tmp - Stop()'s save writes to same file concurrently - **Impact**: Corrupted/truncated csrf_tokens.json on shutdown - **Fix**: Added saveMu mutex to serialize all disk writes **P0-5: CSRF Store Deadlock on Double-Stop** (csrf_store.go:103-108) - **Problem**: stopChan unbuffered, no sync.Once guard, uses send not close - **Impact**: Second Stop() call blocks forever waiting for receiver - **Fix**: - Added sync.Once field stopOnce - Changed to close(stopChan) within stopOnce.Do() - Prevents double-close panic and deadlock All fixes maintain backwards compatibility. The recovery token fix is particularly critical as it closes a security vulnerability allowing replay attacks on password reset flows. |
||
|---|---|---|
| .. | ||
| concurrency_test.go | ||
| hub.go | ||
| hub_concurrency_test.go | ||