fix: harden gateway lock validation (#1572) (thanks @steipete)

2026-01-24 08:14:30 +00:00
parent 90685ef814
commit 3fff943ba1
5 changed files with 221 additions and 28 deletions
--- a/src/infra/gateway-lock.test.ts
+++ b/src/infra/gateway-lock.test.ts
@@ -1,10 +1,13 @@
+import { createHash } from "node:crypto";
+import fsSync from "node:fs";
 import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";

-import { describe, expect, it } from "vitest";
+import { describe, expect, it, vi } from "vitest";

 import { acquireGatewayLock, GatewayLockError } from "./gateway-lock.js";
+import { resolveConfigPath, resolveStateDir } from "../config/paths.js";

 async function makeEnv() {
  const dir = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-gateway-lock-"));
@@ -22,6 +25,41 @@ async function makeEnv() {
  };
 }

+function resolveLockPath(env: NodeJS.ProcessEnv) {
+  const stateDir = resolveStateDir(env);
+  const configPath = resolveConfigPath(env, stateDir);
+  const hash = createHash("sha1").update(configPath).digest("hex").slice(0, 8);
+  return { lockPath: path.join(stateDir, `gateway.${hash}.lock`), configPath };
+}
+
+function makeProcStat(pid: number, startTime: number) {
+  const fields = [
+    "R",
+    "1",
+    "1",
+    "1",
+    "1",
+    "1",
+    "1",
+    "1",
+    "1",
+    "1",
+    "1",
+    "1",
+    "1",
+    "1",
+    "1",
+    "1",
+    "1",
+    "1",
+    "1",
+    String(startTime),
+    "1",
+    "1",
+  ];
+  return `${pid} (node) ${fields.join(" ")}`;
+}
+
 describe("gateway lock", () => {
  it("blocks concurrent acquisition until release", async () => {
    const { env, cleanup } = await makeEnv();
@@ -52,4 +90,98 @@ describe("gateway lock", () => {
    await lock2?.release();
    await cleanup();
  });
+
+  it("treats recycled linux pid as stale when start time mismatches", async () => {
+    const { env, cleanup } = await makeEnv();
+    const { lockPath, configPath } = resolveLockPath(env);
+    const payload = {
+      pid: process.pid,
+      createdAt: new Date().toISOString(),
+      configPath,
+      startTime: 111,
+    };
+    await fs.writeFile(lockPath, JSON.stringify(payload), "utf8");
+
+    const readFileSync = fsSync.readFileSync;
+    const statValue = makeProcStat(process.pid, 222);
+    const spy = vi.spyOn(fsSync, "readFileSync").mockImplementation((filePath, encoding) => {
+      if (filePath === `/proc/${process.pid}/stat`) {
+        return statValue;
+      }
+      return readFileSync(filePath as never, encoding as never) as never;
+    });
+
+    const lock = await acquireGatewayLock({
+      env,
+      allowInTests: true,
+      timeoutMs: 200,
+      pollIntervalMs: 20,
+      platform: "linux",
+    });
+    expect(lock).not.toBeNull();
+
+    await lock?.release();
+    spy.mockRestore();
+    await cleanup();
+  });
+
+  it("keeps lock on linux when proc access fails unless stale", async () => {
+    const { env, cleanup } = await makeEnv();
+    const { lockPath, configPath } = resolveLockPath(env);
+    const payload = {
+      pid: process.pid,
+      createdAt: new Date().toISOString(),
+      configPath,
+      startTime: 111,
+    };
+    await fs.writeFile(lockPath, JSON.stringify(payload), "utf8");
+
+    const readFileSync = fsSync.readFileSync;
+    const spy = vi.spyOn(fsSync, "readFileSync").mockImplementation((filePath, encoding) => {
+      if (filePath === `/proc/${process.pid}/stat`) {
+        throw new Error("EACCES");
+      }
+      return readFileSync(filePath as never, encoding as never) as never;
+    });
+
+    await expect(
+      acquireGatewayLock({
+        env,
+        allowInTests: true,
+        timeoutMs: 120,
+        pollIntervalMs: 20,
+        staleMs: 10_000,
+        platform: "linux",
+      }),
+    ).rejects.toBeInstanceOf(GatewayLockError);
+
+    spy.mockRestore();
+
+    const stalePayload = {
+      ...payload,
+      createdAt: new Date(0).toISOString(),
+    };
+    await fs.writeFile(lockPath, JSON.stringify(stalePayload), "utf8");
+
+    const staleSpy = vi.spyOn(fsSync, "readFileSync").mockImplementation((filePath, encoding) => {
+      if (filePath === `/proc/${process.pid}/stat`) {
+        throw new Error("EACCES");
+      }
+      return readFileSync(filePath as never, encoding as never) as never;
+    });
+
+    const lock = await acquireGatewayLock({
+      env,
+      allowInTests: true,
+      timeoutMs: 200,
+      pollIntervalMs: 20,
+      staleMs: 1,
+      platform: "linux",
+    });
+    expect(lock).not.toBeNull();
+
+    await lock?.release();
+    staleSpy.mockRestore();
+    await cleanup();
+  });
 });