fix: ensure session lock is held during node state checks in StreamRequestHandler (#22765)

caalador · claude · web-flow · commit 9119fbbc9814 · 2025-11-18T13:00:28.000+02:00
StreamRequestHandler.callElementResourceHandler was performing node state checks (isInert, isEnabled, isAttached, isVisible) without holding the session lock, creating a race condition where node state could change between validation and handler execution. This change moves all node state checks inside a single session lock block to ensure thread-safe access throughout the validation process. The nested lock for UploadHandler has been removed as it's now redundant. Fixes #22746 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/flow-server/src/main/java/com/vaadin/flow/server/communication/StreamRequestHandler.java b/flow-server/src/main/java/com/vaadin/flow/server/communication/StreamRequestHandler.java
@@ -139,21 +139,21 @@ private void callElementResourceHandler(VaadinSession session,
         Element owner = elementRequest.getOwner();
         StateNode node = owner.getNode();
 
-        if (blockInert(elementRequest, node)
-                || blockDisabled(elementRequest, node) || !node.isAttached()
-                || !node.isVisible()) {
-            response.sendError(HttpStatusCode.FORBIDDEN.getCode(),
-                    "Resource not available");
-            return;
-        }
+        session.lock();
+        try {
+            if (blockInert(elementRequest, node)
+                    || blockDisabled(elementRequest, node) || !node.isAttached()
+                    || !node.isVisible()) {
+                response.sendError(HttpStatusCode.FORBIDDEN.getCode(),
+                        "Resource not available");
+                return;
+            }
 
-        if (elementRequest
-                .getElementRequestHandler() instanceof UploadHandler) {
-            // Validate upload security key. Else respond with
-            // FORBIDDEN.
-            PathData parts = parsePath(pathInfo);
-            session.lock();
-            try {
+            if (elementRequest
+                    .getElementRequestHandler() instanceof UploadHandler) {
+                // Validate upload security key. Else respond with
+                // FORBIDDEN.
+                PathData parts = parsePath(pathInfo);
                 String secKey = elementRequest.getId();
                 if (secKey == null || !MessageDigest.isEqual(
                         secKey.getBytes(StandardCharsets.UTF_8),
@@ -187,9 +187,9 @@ private void callElementResourceHandler(VaadinSession session,
                             "Resource not available");
                     return;
                 }
-            } finally {
-                session.unlock();
             }
+        } finally {
+            session.unlock();
         }
         elementRequest.getElementRequestHandler().handleRequest(request,
                 response, session, elementRequest.getOwner());
