security: make one-time downloads atomic under concurrency (ai:gpt-5) #49

New issue

Closed

opened 2026-05-23 21:23:07 +02:00 by heiko · 1 comment

heiko commented 2026-05-23 21:23:07 +02:00

Owner

Copy link

Finding from a whole-codebase security review.

Affected code:

• cmd/once-server/download.go:65-83 opens content, then removes it.
• cmd/once-server/store/file.go:67-80 removes content and updates metadata after the caller already has an open reader.

Impact:
Two concurrent POST requests for the same download key can both open the content file before either request removes it. Both requests then keep valid file handles and can receive the secret, violating the documented exactly-once guarantee.

Suggested fix:

• Claim a download atomically before streaming, for example by renaming content to a per-download in-progress path with os.Rename, or by using an advisory lock/claim file in the UUID directory.
• Treat an already-claimed or already-removed object as downloaded.
• Update metadata consistently with the successful claim.
• Add a concurrency test that fires two POST downloads at the same key and asserts that only one gets the content.

Finding from a whole-codebase security review. Affected code: - cmd/once-server/download.go:65-83 opens `content`, then removes it. - cmd/once-server/store/file.go:67-80 removes `content` and updates metadata after the caller already has an open reader. Impact: Two concurrent POST requests for the same download key can both open the content file before either request removes it. Both requests then keep valid file handles and can receive the secret, violating the documented exactly-once guarantee. Suggested fix: - Claim a download atomically before streaming, for example by renaming `content` to a per-download in-progress path with `os.Rename`, or by using an advisory lock/claim file in the UUID directory. - Treat an already-claimed or already-removed object as downloaded. - Update metadata consistently with the successful claim. - Add a concurrency test that fires two POST downloads at the same key and asserts that only one gets the content.

heiko referenced this issue from a commit 2026-05-23 23:07:44 +02:00

fix: make one-time downloads atomic (ai:gpt-5)

heiko referenced this issue 2026-05-23 23:09:23 +02:00

fix: make one-time downloads atomic (ai:gpt-5) #56

heiko added the

security

label 2026-05-24 18:44:09 +02:00

heiko commented 2026-05-24 20:15:50 +02:00

Author

Owner

Copy link

Fixed by commit 4e53e38 (fix: make one-time downloads atomic).

Implements atomic claiming via File.Claim() method which uses atomic os.Rename():

1. Renames content → content.download atomically
2. Opens the claimed file
3. Deletes the claimed marker

Prevent TOCTOU vulnerabilities and concurrent downloads of the same file. Verified with test coverage (TestClaimAllowsOnlyOneDownloader).

Fixed by commit 4e53e38 (fix: make one-time downloads atomic). Implements atomic claiming via File.Claim() method which uses atomic os.Rename(): 1. Renames `content` → `content.download` atomically 2. Opens the claimed file 3. Deletes the claimed marker Prevent TOCTOU vulnerabilities and concurrent downloads of the same file. Verified with test coverage (TestClaimAllowsOnlyOneDownloader).

heiko closed this issue 2026-05-24 20:15:59 +02:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

nagonag/update-master

fix/44-log-removal-details

debian

once.css

dev

v2.5.13-0.20260527114056-db01c609fc25

deb/v2.5.12-1

v2.5.12

deb/v2.5.11-1

v2.5.11

deb/v2.5.10-0.20260524190140-f81a5573a1da-2

deb/v2.5.10-0.20260524190140-f81a5573a1da-1

v2.5.10-0.20260524190140-f81a5573a1da

v2.5.10-0.20260524132651-90531c0633c8

v2.5.9

v2.5.9-0.20260524121920-a8bd0d1e45a4

v2.5.9-0.20260524115638-1a8fe03c73c5

deb/v2.5.8-1

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.4-0.20250910115912-7b669c0bd9aa

v0.0.0-20250910115912-7b669c0bd9aa

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v0.0.0-20250519211121-6ae54abed7ef

v2.4.4

v2.4.3

debian/2.4.2-1

v2.4.2

debian/2.4.1-1

v2.4.1

debian/2.4-1

v2.4

v2.3

debian/2.2-1-g04382ef-1

v2.2-1-g04382ef

debian/2.2-1

v2.2

debian/2.1-1

v2.1

debian/2.0-1

v2.0

debian/1.3-1-gbfa9b7c-1

v1.3-1-gbfa9b7c

debian/1.3-1

v1.3

debian/1.2-11-g73e5390-1

1.2-11-g73e5390

debian/1.2-1

1.2

debian/1.1-1

1.1

debian/1.0-1

1.0

debian/0.3-4-gf628485-1

0.3-4-gf628485

debian/0.3-3-g94ce876-1

0.3-3-g94ce876

debian/0.3-2

0.3

debian/0.2.5-7

debian/0.2.5-6

debian/0.2.5-5

debian/0.2.5-4

debian/0.2.5-3

debian/0.2.5-2

debian/0.2.5-1

0.2.5

debian/0.2.4-1

0.2.4

debian/0.2.3-1

0.2.3

debian/0.2.2-0

0.2.2

0.2.1

0.2

0.1

Labels

Clear labels   

nagonag

Automated dependency scan finding

  

nagonag/ignore

Ignore this nagonag finding

  

bug

Something is not working

  

doc

Missing or wrong documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

security

This is security relevant

  

wontfix

This won't be fixed

No labels

nagonag

nagonag/ignore

bug

doc

duplicate

enhancement

help wanted

invalid

question

security

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

IUS/once#49

No description provided.