Race Condition in Adonisjs

Race conditions in Adonisjs applications often occur in database operations where multiple requests attempt to modify the same data simultaneously. The framework's elegant async/await syntax can mask these issues, making them particularly dangerous.

Consider a common scenario in Adonisjs applications: inventory management. When two users attempt to purchase the last item simultaneously, both requests might read the same inventory count before either completes, leading to overselling:

// Vulnerable Adonisjs controller action
async buyProduct({ params, response }) {
  const product = await Product.find(params.id)
  
  if (product.inventory > 0) {
    product.inventory--
    await product.save()
    return response.json({ success: true })
  }
  
  return response.json({ success: false, message: 'Out of stock' })
}

This code is vulnerable because the read-modify-write sequence isn't atomic. Between the find and save operations, another request could modify the inventory.

Another Adonisjs-specific manifestation occurs with model relationships and cascading operations. When deleting a user who has associated posts, a race condition might allow a post to be created between the delete check and the actual deletion:

// Vulnerable user deletion
async deleteUser({ params, response }) {
  const user = await User.find(params.id)
  
  if (await user.posts().count() > 0) {
    return response.badRequest('Cannot delete user with posts')
  }
  
  await user.delete()
  return response.json({ success: true })
}

The race window exists between the count check and the delete operation. An attacker could exploit this by rapidly creating posts during this window.

Adonisjs's Lucid ORM provides transaction support, but developers often forget to use it for operations that should be atomic:

// Vulnerable transaction-less transfer
async transferFunds({ request, response }) {
  const { fromId, toId, amount } = request.all()
  
  const fromAccount = await Account.find(fromId)
  const toAccount = await Account.find(toId)
  
  if (fromAccount.balance >= amount) {
    fromAccount.balance -= amount
    toAccount.balance += amount
    
    await fromAccount.save()
    await toAccount.save()
    
    return response.json({ success: true })
  }
  
  return response.json({ success: false, message: 'Insufficient funds' })
}

If two transfers occur simultaneously, the final balances could be incorrect because the operations aren't wrapped in a transaction.

Detecting race conditions in Adonisjs applications requires both static analysis and runtime scanning. middleBrick's API security scanner includes specific checks for race condition vulnerabilities in Adonisjs applications.

The scanner examines your Adonisjs endpoints for patterns that commonly lead to race conditions. It looks for:

• Read-modify-write sequences without proper locking or transactions
• Multiple sequential database operations that should be atomic
• Conditional logic that checks state before performing state-changing operations
• Missing useTransaction calls in operations that modify multiple records
• Absence of row-level locking mechanisms

middleBrick's scanning process for Adonisjs applications includes:

# Scan your Adonisjs API endpoint
middlebrick scan https://yourapi.com/api/products/buy/123

The scanner tests for race conditions by sending concurrent requests that exercise the same code paths, monitoring for inconsistent responses or database states. It specifically targets Adonisjs's Lucid ORM patterns and can detect when transactions are missing.

For Adonisjs applications using Redis for caching or session management, middleBrick also checks for race conditions in distributed cache operations:

// Pattern middleBrick flags as potentially vulnerable
async updateCache({ params, request }) {
  const cacheKey = `product:${params.id}`
  const current = await Cache.get(cacheKey)
  
  const updated = { ...current, ...request.all() }
  await Cache.put(cacheKey, updated, 3600)
  
  return response.json({ success: true })
}

The scanner identifies the read-modify-write pattern in cache operations and flags it as a potential race condition vulnerability.

middleBrick also analyzes your Adonisjs application's OpenAPI specification to identify endpoints that perform state-changing operations without proper concurrency controls:

paths:
  /api/products/buy/{id}:
    post:
      summary: Buy product
      # middleBrick flags this if it detects race condition patterns
      # and provides specific remediation guidance

Adonisjs provides several mechanisms to prevent race conditions, with database transactions being the primary defense. Here's how to remediate the vulnerable transfer funds example:

// Secure Adonisjs transfer using transactions
async transferFunds({ request, response }) {
  const { fromId, toId, amount } = request.all()
  
  const transfer = await Database.transaction(async (trx) => {
    const fromAccount = await Account.query(trx).where('id', fromId).forUpdate().first()
    const toAccount = await Account.query(trx).where('id', toId).forUpdate().first()
    
    if (!fromAccount || !toAccount) {
      throw new Error('Accounts not found')
    }
    
    if (fromAccount.balance < amount) {
      throw new Error('Insufficient funds')
    }
    
    fromAccount.balance -= amount
    toAccount.balance += amount
    
    await fromAccount.save(trx)
    await toAccount.save(trx)
    
    return {
      from: fromAccount.id,
      to: toAccount.id,
      amount,
      timestamp: new Date()
    }
  })
  
  return response.json({ success: true, transfer })
}

This implementation uses a database transaction with row-level locking (forUpdate()) to ensure atomicity. The transaction prevents other operations from modifying these rows until the transfer completes.

For inventory management in Adonisjs, use optimistic locking with version columns:

// Model with optimistic locking
class Product extends BaseModel {
  static get incrementing() {
    return true
  }
  
  static get createdAtColumn() {
    return 'created_at'
  }
  
  static get updatedAtColumn() {
    return 'updated_at'
  }
  
  @column({ isPrimary: true })
  public id: number
  
  @column()
  public name: string
  
  @column()
  public inventory: number
  
  @column()
  public version: number
  
  // Add version increment hook
  $beforeUpdate() {
    this.version = this.version ? this.version + 1 : 1
  }
}

// Controller using optimistic locking
async buyProduct({ params, response }) {
  const product = await Product.find(params.id)
  
  if (!product) {
    return response.notFound('Product not found')
  }
  
  if (product.inventory <= 0) {
    return response.json({ success: false, message: 'Out of stock' })
  }
  
  product.inventory--
  
  try {
    await product.save()
    return response.json({ success: true })
  } catch (error) {
    if (error.code === 'ER_ROW_IS_REFERENCED_2') {
      return response.conflict('Update conflict, please retry')
    }
    throw error
  }
}

For Adonisjs applications using Redis, implement atomic operations with Lua scripts or Redis transactions:

// Secure Redis counter increment
async incrementCounter({ params, response }) {
  const key = `counter:${params.id}`
  
  // Use Redis transaction for atomicity
  const result = await Redis
    .multi()
    .incr(key)
    .get(key)
    .exec()
  
  const [_, newValue] = result[1]
  return response.json({ success: true, count: parseInt(newValue) })
}

middleBrick's Pro plan includes continuous monitoring that can detect if race condition vulnerabilities reappear after remediation, alerting you when your Adonisjs API's security posture changes.