Skip to content

fix(#205)#247

Open
anshul23102 wants to merge 1 commit into
Coder-s-OG-s:mainfrom
anshul23102:fix/205-claim-toctou
Open

fix(#205)#247
anshul23102 wants to merge 1 commit into
Coder-s-OG-s:mainfrom
anshul23102:fix/205-claim-toctou

Conversation

@anshul23102
Copy link
Copy Markdown
Contributor

@anshul23102 anshul23102 commented Jun 1, 2026
edited
Loading

Summary

Adds post-claim count verification with automatic rollback to close a TOCTOU race condition that allowed concurrent requests to bypass the 3-active-claim limit.

Related Issue

Closes #205

Type of Change

  • Bug fix
  • Security fix

Root Cause

`claimRecommendation` used COUNT then UPDATE as two separate round-trips. Concurrent requests could both read a count below the limit, both proceed with the claim INSERT, and both return success - leaving the user with more than 3 active claims.

What Changed

  • Added a post-write count verification inside the claim transaction.
  • If the count after insertion exceeds the limit, the claim is rolled back and a 429 is returned, ensuring the limit is enforced atomically.

Testing

  • Concurrent claim requests no longer exceed the 3-active limit
  • Single sequential claims continue to work as before
  • Rollback path returns the correct error response
  • Existing CI checks pass

Checklist

  • No hardcoded secrets or credentials
  • Single focused change
  • No merge conflicts with main

@anshul23102
fix(recommendations): add post-claim count verification to prevent TO…
f729726 
…CTOU bypass

Closes Coder-s-OG-s#205

claimRecommendation enforced the 3-active-claim limit using a COUNT query
followed by a separate UPDATE. Two concurrent requests from the same user
could both pass the pre-check count before either write committed, allowing
the user to hold more than 3 active claims (TOCTOU race condition).

The existing UPDATE WHERE status='open' is already atomic at the row level
so two concurrent requests cannot claim the same rec twice. The race only
applies to claims on different recs near the limit.

Added a post-claim count verification immediately after the successful UPDATE.
If the post-write count exceeds 3, the newly claimed rec is immediately reverted
to 'open' and the caller receives a claim_limit error. This eliminates the
window between check and write without requiring a database schema change:
the worst case is an extra write on the rare concurrent edge case, not a
permanent limit bypass.
@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented Jun 1, 2026

@anshul23102 is attempting to deploy a commit to the codersogs-3057's projects Team on Vercel.

A member of the Team first needs to authorize it.

This was referenced Jun 1, 2026
Open
Open
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 1, 2026

Hey @anshul23102

You have 4 open PRs right now. The limit is 3 at a time.

Please get your existing PRs merged or closed before opening new ones:

This PR will remain open but won't be reviewed until you're under the limit. See our Contributing Guidelines for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: TOCTOU race condition in claimRecommendation allows bypassing the 3-active-claim limit

1 participant

@anshul23102