balderdashy/sails

Data leak between requests

Open

#6944 opened on Jan 30, 2020

View on GitHub
 (10 comments) (0 reactions) (0 assignees)JavaScript (22,778 stars) (1,953 forks)batch import
bughelp wantedormrepro please

Description

Node version: node:8.12-alpine Sails version (sails): "^1.2.3" ORM hook version (sails-hook-orm): "^2.1.1" Sockets hook version (sails-hook-sockets): "^1.4.0"

ISSUE 1: Somehow response data from one request say to '/user/login' end up being swapped with someone's else request response. So users on our apps got swapped and saw the other's info,.

ISSUE 2: Similarly, two parallel requests to an api say 'list-items' end up mixing items from both users together in the resonse. So one user gets some of his items and some of the other user's items & same with the other user.

What we did to solve the problem, was to refactor the code a bit: 1- We stopped using things like promise.all() and did some refactoring which solved ISSUE 1 2- We had a function receives items list as input goes into a for loop ( for x of y ) to call two awaits db calls for each of the items, create some additional properly for the item, push into a new array and return this array. This array was getting mixed up.

Regardless of our code and whether it could be written in a better way or not, how on earth is data being swapped like this ? is there anyone who knows or faced something like this with saisjs before ?

Thank you !

Contributor guide

Tech stack
javascriptnodejs
Domain
backend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
over 1 week
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
needs investigation
Prerequisites
Node.js async programmingSails.js basics
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
20
Research direction
Investigate potential race conditions or shared mutable state in Sails.js request handling. Look at the Sails.js core and hook implementations for concurrency issues, especially around promise.all usage and database calls. The issue lacks a minimal reproduction; creating one would involve setting up a controlled environment with parallel requests to endpoints that perform async database operations. Check if the issue is related to the framework's internal request context or session handling.