Skip to content

fix: resolve critical concurrency, security, and reliability bugs#2

Open
Bill-Billion wants to merge 2 commits intoshareAI-lab:mainfrom
Bill-Billion:fix-concurrency-security-bugs
Open

fix: resolve critical concurrency, security, and reliability bugs#2
Bill-Billion wants to merge 2 commits intoshareAI-lab:mainfrom
Bill-Billion:fix-concurrency-security-bugs

Conversation

@Bill-Billion
Copy link
Copy Markdown

@Bill-Billion Bill-Billion commented Apr 2, 2026

Summary

修复多智能体分析发现的 8 个高危问题:

  • queue.ts: 修复 drain() 竞态条件,drainingDepth 计数器替代布尔标志
  • sessions.ts: 添加 100ms debounced 写入队列,防止 JSON 文件损坏
  • agent.ts: 添加 5 分钟超时和 proc.kill() finally 块,防止僵尸进程
  • access.ts: 换用 crypto.randomBytes() 生成配对码,添加 chat_id 验证
  • index.ts: 实现优雅关闭,等待队列排空(最多 30 秒)
  • reply.ts: 修复 pendingPush 竞态条件,确保 patcher 就绪前的文本不丢失

Test Plan

  • 24/24 单元测试通过
  • TypeScript 检查通过
  • 飞书真实测试验证

修复的问题

问题 严重性 文件
GroupQueue.drain() 竞态条件 HIGH queue.ts
sessions.json 并发写入无锁 HIGH sessions.ts
Python 子进程从不终止 HIGH agent.ts
stdin 关闭后 reader 无超时 HIGH agent.ts
Pairing Code 用 Math.random() HIGH access.ts
Pairing Code 不验证 chat_id HIGH access.ts
shutdown 不等待队列任务 HIGH index.ts
TextBlock patcher 竞态条件 HIGH reply.ts

@Bill-Billion
fix: resolve critical concurrency, security, and reliability bugs
4fe8bbd 
- queue.ts: fix drain() race condition that caused second message
  in same group to hang indefinitely by using draining flag
- sessions.ts: add debounced write queue to prevent concurrent
  writeFileSync from corrupting JSON file
- agent.ts: add 5-minute timeout and proc.kill() in finally
  block to prevent zombie Python processes
- access.ts: replace Math.random() with crypto.randomBytes()
  for secure pairing codes; add chat_id verification to
  prevent cross-chat pairing code attacks
- index.ts: implement graceful shutdown waiting for queues
  to drain (max 30s) before exiting
@Bill-Billion
test: add unit tests for bug fixes (24 tests, all pass)
62da4b4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Bill-Billion