fix(#10241): prevent race condition in unique() validation allowing duplicates#11069
Open
shivv23 wants to merge 1 commit into
Open
fix(#10241): prevent race condition in unique() validation allowing duplicates#11069shivv23 wants to merge 1 commit into
shivv23 wants to merge 1 commit into
Conversation
…ing duplicates The unique() validation uses a read-then-write pattern that is vulnerable to concurrent requests. When two SMS messages arrive within seconds, both pass the unique() check before either document is committed, resulting in duplicate records. Added an in-memory lock (Set) keyed on the sorted unique field values. Before querying the database, the exists() function acquires the lock. If another concurrent call holds the same lock, exists() returns true (not unique), preventing the duplicate. The lock is released in a finally block after the DB query completes. Node.js single-threaded execution ensures the check-and-set is atomic - two async functions cannot interleave their synchronous operations at the lock-aquisition point. The race window between the DB query and save is protected by the lock held during the entire exists() duration.
shivv23
force-pushed
the
pr-10241-unique-race
branch
from
224aaa2 to
f99f359
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
unique()validation uses a read-then-write pattern that is vulnerable to concurrent requests. When two SMS messages arrive within seconds, both pass theunique()check before either document is committed, resulting in duplicate records.Changes
Set-based lock keyed on sorted unique field value pairs.exists()checks the lock set. If another concurrent call holds the same lock,exists()immediately returnstrue(not unique), preventing the duplicate.finallyblock after the DB query completes.Why this works
Node.js single-threaded execution ensures the lock check-and-set is atomic: two async functions cannot interleave their synchronous operations at the lock-acquisition point. The race window between the DB query and save is protected because the lock is held during the entire
exists()execution.Testing
validation_utilsunit tests pass.