Skip to content

Commit 5ebcc86

Browse files
dinwwwhdinwwwh
authored
fix(server): prevent duplicate request id attack on peer adapter (#1474)
Fixes #1473 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Improved handling of duplicate requests—when an identical request is already in flight, the duplicate is now ignored and returns the original response instead of being processed again. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
1 parent 2f22852 commit 5ebcc86

File tree

2 files changed

+33
-0
lines changed

2 files changed

+33
-0
lines changed

packages/standard-server-peer/src/server.test.ts

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -317,6 +317,35 @@ describe('serverPeer', () => {
317317
expect(handle).toHaveBeenCalledTimes(1)
318318
})
319319

320+
it('duplicate request message should be ignored', async () => {
321+
handle.mockImplementationOnce(async () => baseResponse)
322+
323+
const promise = peer.message(
324+
await encodeRequestMessage(REQUEST_ID, MessageType.REQUEST, baseRequest),
325+
handle,
326+
)
327+
328+
// Send duplicate while first request is still processing
329+
const [id, request] = await peer.message(
330+
await encodeRequestMessage(REQUEST_ID, MessageType.REQUEST, baseRequest),
331+
handle,
332+
)
333+
334+
expect(id).toBe(REQUEST_ID)
335+
expect(request).toBeUndefined()
336+
// handle should only be called once (duplicate ignored)
337+
expect(handle).toHaveBeenCalledTimes(1)
338+
339+
const [id2, request2] = await promise
340+
expect(id2).toBe(REQUEST_ID)
341+
expect(request2).toEqual({
342+
...baseRequest,
343+
signal: expect.any(AbortSignal),
344+
})
345+
346+
expect(send).toHaveBeenCalledTimes(1)
347+
})
348+
320349
it('handle throw error', async () => {
321350
handle.mockImplementationOnce(async () => {
322351
throw new Error('some error')

packages/standard-server-peer/src/server.ts

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,10 @@ export class experimental_ServerPeerWithoutCodec {
125125
return [id, undefined]
126126
}
127127

128+
if (this.clientControllers.has(id)) { // duplicate request message, should be ignored
129+
return [id, undefined]
130+
}
131+
128132
const clientController = this.open(id)
129133
const signal = clientController.signal
130134

0 commit comments

Comments
 (0)