Skip to content

[API] Match state transition allows skipping veto, checkIntoMatch hardcoded false, fragment NaN #380

Open
5stackgg/api
#136
Open
[API] Match state transition allows skipping veto, checkIntoMatch hardcoded false, fragment NaN#380
5stackgg/api
#136
Labels
P2-mediumCode quality & robustnessaudit-2026-03From March 2026 codebase auditlogic-errorLogic or state machine bugservice:api5stackgg/api service
@Flegma

Description

@Flegma
Flegma
opened on Mar 26, 2026

Summary

Several logic errors in match flow control and API responses.

Findings

  • matches.controller.ts — condition uses || instead of &&, allowing match start during Veto.
  • matches.controller.ts — checkIntoMatch returns success: false always, regardless of actual result.
  • match-relay.controller.ts — parseInt(fragment) with no validation (could be NaN, negative, or huge).

Impact

Matches could skip veto. Clients can never confirm check-in success. Fragment parsing could cause logic errors.

Suggested Fix

Fix boolean operator. Return actual success status. Validate parseInt with bounds checking.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2-mediumCode quality & robustnessaudit-2026-03From March 2026 codebase auditlogic-errorLogic or state machine bugservice:api5stackgg/api service

    Type

    No type

    Projects

    5stack - Roadmap

    Status

    In progress

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions