🚨 Critical: Race Condition in GitHub Token Pool Management
Severity: CRITICAL
Description
A race condition exists in the GitHub token pool management system in lib/github.ts. The module-level mutable variable currentTokenIndex (line 98) is read and mutated from multiple concurrent async requests without any synchronization mechanism (mutex, lock, or atomic operations).
Impact
In a serverless/production environment handling concurrent HTTP requests:
- Token Skipping: Multiple requests can read the same
currentTokenIndex value simultaneously, causing valid tokens to be skipped entirely
- Rate Limit Amplification: Concurrent requests hitting the same token simultaneously exhaust its rate limit quota faster than expected
- Inconsistent State:
currentTokenIndex can exceed tokens.length in edge cases due to interleaved read-modify-write operations
Reproduction Scenario
Request A reads currentTokenIndex = 2
Request B reads currentTokenIndex = 2 (before A increments)
Request A uses token[2] and increments to 3
Request B also uses token[2] (duplicate!) and increments to 3
Token[3] is never used — skipped entirely
Affected Code
lib/github.ts:98 — currentTokenIndex declaration
lib/github.ts:279,308 — reassignment during 401/429 handling in fetchWithRetry
lib/github.ts:637-736 — token selection and index mutation
Suggested Fix
Implement atomic token index operations using one of:
- A mutex/lock around token selection and index increment
Atomics.add() with a shared SharedArrayBuffer
- Thread-safe token pool with compare-and-swap semantics
- Per-request token assignment via a central coordinator
Severity Justification
This bug can cause cascading failures across all GitHub API integrations in the application, affecting:
- Commit tracking
- Repository analysis
- Architecture endpoint
- All features dependent on GitHub token authentication
Labels: bug, critical, security, concurrency
🚨 Critical: Race Condition in GitHub Token Pool Management
Severity: CRITICAL
Description
A race condition exists in the GitHub token pool management system in
lib/github.ts. The module-level mutable variablecurrentTokenIndex(line 98) is read and mutated from multiple concurrent async requests without any synchronization mechanism (mutex, lock, or atomic operations).Impact
In a serverless/production environment handling concurrent HTTP requests:
currentTokenIndexvalue simultaneously, causing valid tokens to be skipped entirelycurrentTokenIndexcan exceedtokens.lengthin edge cases due to interleaved read-modify-write operationsReproduction Scenario
Affected Code
lib/github.ts:98—currentTokenIndexdeclarationlib/github.ts:279,308— reassignment during 401/429 handling infetchWithRetrylib/github.ts:637-736— token selection and index mutationSuggested Fix
Implement atomic token index operations using one of:
Atomics.add()with a sharedSharedArrayBufferSeverity Justification
This bug can cause cascading failures across all GitHub API integrations in the application, affecting:
Labels:
bug,critical,security,concurrency