Skip to content

fix: BROS-91: Annotation Submission/Validation bypass race condition #8111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

fix: BROS-91: Annotation Submission/Validation bypass race condition #8111

wants to merge 1 commit into from

Conversation

niklub
Copy link
Collaborator

@niklub niklub commented Aug 7, 2025

The validation bypass race condition occurs when users rapidly click submit buttons (or trigger other events that cause <500ms submissions while validation takes longer), allowing invalid submissions to bypass required field validation.

Possible state change:

t=0ms: Click 1 starts
       holdsState: false ✅
       choice1._sel: false
       choice2._sel: false

t=1ms: Click 1 beforeSend()
       holdsState: false ✅
       [MobX reactions queued]

t=3ms: Click 1 result processing
       holdsState: false ✅
       [Observable updates pending]

t=4ms: Click 1 validation starts
       holdsState: false ✅ → Should block

t=5ms: Click 2 starts ◄── RACE CONDITION WINDOW
       holdsState: false ✅ (still reading old state)

t=6ms: Click 2 beforeSend() + MobX reactions fire
       holdsState: false → true ❌ (STATE CORRUPTED)
       choice1._sel: false → true (setResult applied)

t=7ms: Click 2 validation reads corrupted state
       holdsState: true ❌ → Validation bypassed

This implementation provides multi-layered protection against the validation bypass race condition:

  1. AppStore Level - isValidating flag prevents concurrent submission attempts
  2. Annotation Level - _isValidating flag prevents concurrent validation execution
  3. Choices Level - Fixed missing return statement prevents undefined validation results

How It Prevents Race Conditions

Before Fix (Vulnerable):

Timeline:    0ms    5ms    10ms   15ms   20ms
             │      │      │      │      │
Click 1:     ├──────┼──────┼──────┼──────┼──► Submit
             │      │      │      │      │
Click 2:     │      ├──────┼──────X      │
             │      │      │      ▲      │
         Validate   │   Blocked    │      │
                    │              │      │
              isSubmitting=true    │      │

After Fix (Protected):

Timeline:    0ms    5ms    10ms   15ms   20ms
             │      │      │      │      │
Click 1:     ├──────┼──────┼──────┼──────┼──► Submit
             │      │      │      │      │
Click 2:     │      X      │      │      │
             │      ▲      │      │      │
    isValidating=true      │      │      │
         (Immediately)     │      │      │

@netlify Netlify
Copy link

netlify bot commented Aug 7, 2025
edited
Loading

Deploy Preview for label-studio-docs-new-theme canceled.

Name Link
🔨 Latest commit bea2720
🔍 Latest deploy log https://app.netlify.com/projects/label-studio-docs-new-theme/deploys/6894ba1504fe5d00083faafa

@netlify Netlify
Copy link

netlify bot commented Aug 7, 2025
edited
Loading

Deploy Preview for heartex-docs canceled.

Name Link
🔨 Latest commit bea2720
🔍 Latest deploy log https://app.netlify.com/projects/heartex-docs/deploys/6894ba1532bf3300088b5646

@netlify Netlify
Copy link

netlify bot commented Aug 7, 2025
edited
Loading

Deploy Preview for label-studio-storybook ready!

Name Link
🔨 Latest commit bea2720
🔍 Latest deploy log https://app.netlify.com/projects/label-studio-storybook/deploys/6894ba151e071f0008f92700
😎 Deploy Preview https://deploy-preview-8111--label-studio-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@github-actions github-actions bot added the fix label Aug 7, 2025
@netlify Netlify
Copy link

netlify bot commented Aug 7, 2025
edited
Loading

Deploy Preview for label-studio-playground ready!

Name Link
🔨 Latest commit bea2720
🔍 Latest deploy log https://app.netlify.com/projects/label-studio-playground/deploys/6894ba151613630009400f46
😎 Deploy Preview https://deploy-preview-8111--label-studio-playground.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@codecov Codecov
Copy link

codecov bot commented Aug 7, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 79.66102% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.51%. Comparing base (066c4b2) to head (bea2720).

Files with missing lines Patch % Lines
web/libs/editor/src/stores/AppStore.js 78.26% 10 Missing ⚠️
...eb/libs/editor/src/stores/Annotation/Annotation.js 83.33% 2 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (066c4b2) and HEAD (bea2720). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (066c4b2) HEAD (bea2720)
pytests 1 0
Additional details and impacted files 
@@             Coverage Diff             @@
##           develop    #8111      +/-   ##
===========================================
- Coverage    70.53%   65.51%   -5.02%     
===========================================
  Files          719      505     -214     
  Lines        51391    33872   -17519     
  Branches      8736     8737       +1     
===========================================
- Hits         36248    22192   -14056     
+ Misses       15140    11677    -3463     
  Partials         3        3
Flag Coverage Δ
lsf-e2e 58.59% <71.18%> (-1.18%) ⬇️
lsf-integration 55.42% <76.27%> (-0.05%) ⬇️
lsf-unit 9.51% <0.00%> (-0.01%) ⬇️
pytests ?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hlomzik hlomzik Awaiting requested review from hlomzik hlomzik is a code owner

@Gondragos Gondragos Awaiting requested review from Gondragos Gondragos is a code owner

@nick-skriabin nick-skriabin Awaiting requested review from nick-skriabin nick-skriabin is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@niklub