Skip to content

security(trees): fix race condition in PlantTreeWithTFTF job #77

New issue
New issue
Open
Open
security(trees): fix race condition in PlantTreeWithTFTF job#77
Labels
complexity:smallLess than 2 hourslang:phpPHP/Laravelpriority:criticalDo immediatelytype:securitySecurity related
@Snider

Description

@Snider
Snider
opened on Feb 4, 2026

Parent audit: #47

Finding

Non-atomic check-decrement on tree reserve creates a race condition in the PlantTreeWithTFTF job. Concurrent jobs could over-decrement the reserve counter.

Location

  • src/Mod/Trees/Jobs/PlantTreeWithTFTF.php

Fix

Wrap the check-and-decrement logic in a database transaction with a pessimistic lock (lockForUpdate()), ensuring atomicity.

Acceptance Criteria

  • Reserve check and decrement are wrapped in a DB transaction
  • Pessimistic lock (lockForUpdate()) is used on the reserve row
  • Concurrent job execution cannot over-decrement the reserve
  • Existing tests updated to cover concurrent execution scenario

Metadata

Metadata

Assignees

No one assigned

    Labels

    complexity:smallLess than 2 hourslang:phpPHP/Laravelpriority:criticalDo immediatelytype:securitySecurity related

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions