[WEB-7894] fix: eliminate TOCTOU race in InstanceAdminSignUp (GHSA-p548-28jp-wr4p)#9332
Open
mguptahub wants to merge 2 commits into
Open
[WEB-7894] fix: eliminate TOCTOU race in InstanceAdminSignUp (GHSA-p548-28jp-wr4p)#9332mguptahub wants to merge 2 commits into
mguptahub wants to merge 2 commits into
Conversation
…48-28jp-wr4p) Two concurrent POST requests to InstanceAdminSignUpEndpoint could both pass the "no admin yet" check before either created the InstanceAdmin row, resulting in dual instance admins. Fix: wrap the check + create in transaction.atomic() with select_for_update() on the Instance singleton row. The pre-check (is_setup_done / existing admin) outside the lock is kept as a fast early-exit for the common post-setup path. The re-check inside the lock is the authoritative guard; user_login() is kept outside the transaction to avoid holding the DB lock during session writes. Co-authored-by: Plane AI <noreply@plane.so>
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthrough
ChangesAtomic admin signup
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Linked to Plane Work Item(s) This comment was auto-generated by Plane |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@apps/api/plane/license/api/views/admin.py`:
- Around line 108-110: The initial-admin guard in the admin setup flow is too
narrowly scoped to a single Instance row, which can bypass protection if another
Instance exists. Update the guard in the relevant admin creation path around the
setup check to use a global InstanceAdmin existence check consistently, or
enforce the singleton assumption with a database-level constraint on Instance so
the shortcut remains safe. Refer to the setup logic in admin.py and the
InstanceAdmin/Instance models when applying the fix.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: c3f8b459-ccfb-4a47-8bdb-22c19c25c6ca
📒 Files selected for processing (1)
apps/api/plane/license/api/views/admin.py
The pre-check and re-check inside the atomic block were scoped to filter(instance=instance), which could be bypassed if a stray second Instance row existed. Changed both guards to InstanceAdmin.objects.exists() to match the original global check and make them consistent with each other. Co-authored-by: Plane AI <noreply@plane.so>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
InstanceAdminSignUpEndpoint.post()checked for an existingInstanceAdminwith a non-atomic read (InstanceAdmin.objects.first()) and then created one in a separate write. Two concurrent requests could both pass the check and create two instance admins.transaction.atomic()withselect_for_update()on theInstancesingleton row. The pre-check outside the lock (is_setup_done/ existing admin) is a fast early-exit for the common post-setup path; the re-check inside the lock is the authoritative race-free guard.Changes
apps/api/plane/license/api/views/admin.pyfrom django.db import transactioninstance.is_setup_done(secondary guard)transaction.atomic()withInstance.objects.select_for_update().get(pk=instance.pk)to serialize concurrent signupsuser_login()outside the transaction to avoid holding the DB lock during session writesTest plan
is_setup_done=True, login redirect worksADMIN_ALREADY_EXISTredirectCo-authored-by: Plane AI noreply@plane.so
Summary by CodeRabbit