[GH-ISSUE #2136] A TOCTOU race in GetObjectWithGeneration (fs backend) #256

New issue

Open

opened 2026-03-03 12:09:27 +03:00 by kerem · 0 comments

kerem commented 2026-03-03 12:09:27 +03:00

Owner

Copy link

Originally created by @misha-drozd on GitHub (Feb 5, 2026).
Original GitHub issue: https://github.com/fsouza/fake-gcs-server/issues/2136

GetObjectWithGeneration may return the data from the wrong generation:

1. GetObjectWithGeneration takes a lock, retrieves object metadata, releases the lock.
2. Here another call might create new generation as no lock is held.
3. GetObjectWithGeneration checks the actual and expected generation
4. GetObjectWithGeneration opens the file (that was replaced on step 2) and returns it.

Originally found in https://github.com/fsouza/fake-gcs-server/pull/2117

Originally created by @misha-drozd on GitHub (Feb 5, 2026). Original GitHub issue: https://github.com/fsouza/fake-gcs-server/issues/2136 `GetObjectWithGeneration` may return the data from the wrong generation: 1. `GetObjectWithGeneration` takes a lock, retrieves object metadata, releases the lock. 2. Here another call might create new generation as no lock is held. 3. `GetObjectWithGeneration` checks the actual and expected generation 4. `GetObjectWithGeneration` opens the file (that was replaced on step 2) and returns it. Originally found in https://github.com/fsouza/fake-gcs-server/pull/2117

kerem referenced this issue 2026-03-15 18:00:04 +03:00

[GH-ISSUE #256] Github Action? #2199

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/examples/node/fast-xml-parser-5.7.1

dependabot/github_actions/goreleaser/goreleaser-action-7.1.0

dependabot/github_actions/actions/cache-5.0.5

v1.54.0

v1.53.1

v1.53.0

v1.52.3

v1.52.2

v1.52.1

v1.52.0

v1.51.0

v1.50.2

v1.50.1

v1.50.0

v1.49.3

v1.49.2

v1.49.1

v1.49.0

v1.48.0

v1.47.8

v1.47.7

v1.47.6

v1.47.5

v1.47.4

v1.47.3

v1.47.2

v1.47.1

v1.47.0

v1.46.0

v1.45.2

v1.45.1

v1.45.0

v1.44.2

v1.44.1

v1.44.0

v1.43.0

v1.42.2

v1.42.1

v1.42.0

v1.41.0

v1.40.3

v1.40.2

v1.40.1

v1.40.0

v1.39.0

v1.38.4

v1.38.3

v1.38.2

v1.38.1

v1.38.0

v1.37.12

v1.37.11

v1.37.10

v1.37.9

v1.37.8

v1.37.3

v1.37.2

v1.37.1

v1.37.0

v1.36.3

v1.36.2

v1.36.1

v1.36.0

v1.35.0

v1.34.1

v1.34.0

v1.33.1

v1.33.0

v1.32.2

v1.32.1

v1.32.0

v1.31.1

v1.31.0

v1.30.2

v1.30.1

v1.30.0

1.29.2

v1.29.1

v1.29.0

v1.28.0

v1.27.0

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.1

v1.23.0

v1.22.7

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.5

v1.19.4

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.1

v1.12.0

v1.11.6

v1.11.5

v1.11.4

v1.11.3

v1.11.2

v1.11.1

v1.11.0

v1.10.1

v1.10.0

v1.9.0

v1.8.0

v1.7.1

v1.7.0

v1.6.2

v1.6.1

v1.6.0

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

Labels

Clear labels   

bug

  

compatibility-issue

  

docker

  

documentation

  

enhancement

  

help wanted

  

needs information

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

unfortunate

  

wontfix

No labels

bug

compatibility-issue

docker

documentation

enhancement

help wanted

needs information

pull-request

question

stale

unfortunate

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/fake-gcs-server#256

No description provided.