Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TOCTOU race allows double-booking a slot (non-transactional) #33

New Issue
Closed
opened 2026-06-09 19:08:19 +00:00 by thatguygriff · 1 comment
thatguygriff commented 2026-06-09 19:08:19 +00:00
Owner
Copy Link
Copy Source

Severity: Medium — integrity / potential double-charge.

Problem

BookingEndpoint::book() (src/Booking/BookingEndpoint.php:107-155) checks $slot->isBooked, then later calls insert() + markBooked() with no row lock or transaction. Two concurrent requests for the same slot both pass the check and both book it (and both may be charged).

The insertSeries path is also non-transactional — a partial failure leaves orphaned lesson rows and half-marked slots.

Fix

Use a conditional atomic update (UPDATE ... SET is_booked = 1 WHERE id = ? AND is_booked = 0) and act on the affected-row count to claim the slot before inserting the lesson, or wrap the claim+insert in a DB transaction. Apply the same for the series path.

**Severity: Medium** — integrity / potential double-charge. ## Problem `BookingEndpoint::book()` ([src/Booking/BookingEndpoint.php:107-155](src/Booking/BookingEndpoint.php#L107-L155)) checks `$slot->isBooked`, then later calls `insert()` + `markBooked()` with no row lock or transaction. Two concurrent requests for the same slot both pass the check and both book it (and both may be charged). The `insertSeries` path is also non-transactional — a partial failure leaves orphaned lesson rows and half-marked slots. ## Fix Use a conditional atomic update (`UPDATE ... SET is_booked = 1 WHERE id = ? AND is_booked = 0`) and act on the affected-row count to claim the slot before inserting the lesson, or wrap the claim+insert in a DB transaction. Apply the same for the series path.
thatguygriff added the bugsecurity labels 2026-06-09 19:08:19 +00:00
thatguygriff commented 2026-06-10 20:17:50 +00:00
Author
Owner
Copy Link
Copy Source

Verified resolved on main (061d09e, PR #38): slots are claimed via an atomic guarded update — AvailabilityRepository::claim() runs UPDATE ... SET is_booked = 1 WHERE id = %d AND is_booked = 0 and the lesson is only inserted when the affected-row count confirms this request won the claim. The weekly path claims each occurrence individually and creates lessons only for the slots actually claimed, so a racing request never double-books and no half-marked rows are left behind. Re-confirmed during the 2026-06-10 security review pass.

Verified resolved on main (061d09e, PR #38): slots are claimed via an atomic guarded update — AvailabilityRepository::claim() runs UPDATE ... SET is_booked = 1 WHERE id = %d AND is_booked = 0 and the lesson is only inserted when the affected-row count confirms this request won the claim. The weekly path claims each occurrence individually and creates lessons only for the slots actually claimed, so a racing request never double-books and no half-marked rows are left behind. Re-confirmed during the 2026-06-10 security review pass.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
 enhancement
Extends an existing feature
 feature
New user-facing capability
 payments
Billing, Stripe, receipts, reporting
 security
Security vulnerability or hardening
No Label bug security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
thatguygriff (James Griffin-Allwood)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Unsupervised/unsupervised-scheduler#33
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?