sneak/upaas
1
0
Fork 0
Code Issues 9 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

MEDIUM: Setup endpoint race condition — multiple admin users can be created #26

New Issue
Closed
opened 2026-02-16 05:47:14 +01:00 by clawbot · 1 comment
clawbot commented 2026-02-16 05:47:14 +01:00
Collaborator
Copy Link

Bug

Files:

  • internal/handlers/setup.go, HandleSetupPOST()
  • internal/service/auth/auth.go, CreateUser()
  • internal/middleware/middleware.go, SetupRequired()

Severity: MEDIUM — Authentication bypass

Description

There is a TOCTOU (Time-of-Check-Time-of-Use) race condition in the setup flow:

  1. SetupRequired() middleware checks if any users exist
  2. HandleSetupPOST() processes the form
  3. CreateUser() checks UserExists() again, then inserts

If two requests arrive simultaneously (e.g., automated attack while the setup page is accessible), both can pass the UserExists() check before either has inserted a user. The second insert may succeed (SQLite doesn't have a UNIQUE constraint on username based on the migration), creating a second admin account.

Even if the second CreateUser returns ErrUserExists, the middleware check at step 1 happens independently for each request.

Suggested Fix

  1. Add a UNIQUE constraint on users.username in the database schema
  2. Use a mutex in CreateUser or use an INSERT with conflict handling: 
    INSERT INTO users (username, password_hash) VALUES (?, ?)
ON CONFLICT(username) DO NOTHING
  3. The CreateUser function should check row count after insert to detect conflicts
## Bug **Files:** - `internal/handlers/setup.go`, `HandleSetupPOST()` - `internal/service/auth/auth.go`, `CreateUser()` - `internal/middleware/middleware.go`, `SetupRequired()` **Severity:** MEDIUM — Authentication bypass ### Description There is a TOCTOU (Time-of-Check-Time-of-Use) race condition in the setup flow: 1. `SetupRequired()` middleware checks if any users exist 2. `HandleSetupPOST()` processes the form 3. `CreateUser()` checks `UserExists()` again, then inserts If two requests arrive simultaneously (e.g., automated attack while the setup page is accessible), both can pass the `UserExists()` check before either has inserted a user. The second insert may succeed (SQLite doesn't have a UNIQUE constraint on username based on the migration), creating a second admin account. Even if the second `CreateUser` returns `ErrUserExists`, the middleware check at step 1 happens independently for each request. ### Suggested Fix 1. Add a UNIQUE constraint on `users.username` in the database schema 2. Use a mutex in `CreateUser` or use an INSERT with conflict handling: ```sql INSERT INTO users (username, password_hash) VALUES (?, ?) ON CONFLICT(username) DO NOTHING ``` 3. The `CreateUser` function should check row count after insert to detect conflicts
sneak commented 2026-02-16 06:33:02 +01:00
Owner
Copy Link

implement 1 and 2 and give me a PR

implement 1 and 2 and give me a PR
sneak closed this issue 2026-02-16 06:45:02 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bot
Agent's turn to work
 bug
Something is not working
 duplicate
This issue or pull request already exists
 enhancement
New feature
 help wanted
Need some help
 invalid
Something is wrong
 merge-ready
All checks pass, reviewed, rebased, ready for merge
 needs-checks
make check does not pass cleanly
 needs-rebase
PR has merge conflicts or is behind main
 needs-review
Code review not yet done
 needs-rework
Code review found issues to fix
 notplanned
question
More information is needed
 wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
clawbot sneak
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sneak/upaas#26
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?