Add mutex to getSnapState to prevent concurrent decryption

Mrtenz · Mrtenz · commit e15bdc3152f7 · 2025-03-24T13:59:17.000+01:00
diff --git a/packages/snaps-controllers/src/snaps/SnapController.ts b/packages/snaps-controllers/src/snaps/SnapController.ts
@@ -286,6 +286,11 @@ export type SnapRuntimeData = {
    * A mutex to prevent concurrent state updates.
    */
   stateMutex: Mutex;
+
+  /**
+   * A mutex to prevent concurrent state decryption.
+   */
+  getStateMutex: Mutex;
 };
 
 export type SnapError = {
@@ -2046,33 +2051,35 @@ export class SnapController extends BaseController<
    */
   async getSnapState(snapId: SnapId, encrypted: boolean): Promise<Json> {
     const runtime = this.#getRuntimeExpect(snapId);
-    const cachedState = encrypted ? runtime.state : runtime.unencryptedState;
+    return await runtime.getStateMutex.runExclusive(() => {
+      const cachedState = encrypted ? runtime.state : runtime.unencryptedState;
 
-    if (cachedState !== undefined) {
-      return cachedState;
-    }
+      if (cachedState !== undefined) {
+        return cachedState;
+      }
 
-    const state = encrypted
-      ? this.state.snapStates[snapId]
-      : this.state.unencryptedSnapStates[snapId];
+      const state = encrypted
+        ? this.state.snapStates[snapId]
+        : this.state.unencryptedSnapStates[snapId];
 
-    if (state === null || state === undefined) {
-      return null;
-    }
+      if (state === null || state === undefined) {
+        return null;
+      }
 
-    if (!encrypted) {
-      // For performance reasons, we do not validate that the state is JSON,
-      // since we control serialization.
-      const json = JSON.parse(state);
-      runtime.unencryptedState = json;
+      if (!encrypted) {
+        // For performance reasons, we do not validate that the state is JSON,
+        // since we control serialization.
+        const json = JSON.parse(state);
+        runtime.unencryptedState = json;
 
-      return json;
-    }
+        return json;
+      }
 
-    const decrypted = await this.#decryptSnapState(snapId, state);
-    runtime.state = decrypted;
+      const decrypted = await this.#decryptSnapState(snapId, state);
+      runtime.state = decrypted;
 
-    return decrypted;
+      return decrypted;
+    });
   }
 
   /**
@@ -3968,6 +3975,7 @@ export class SnapController extends BaseController<
       interpreter,
       stopping: false,
       stateMutex: new Mutex(),
+      getStateMutex: new Mutex(),
     });
   }
 
