Race Condition Vulnerability in PlayCanvas Stable JS file

Hi Admins,

After doing a code scan of the PlayCanvas Stable JS file, the race condition vulnerability is flagged out in line 33778.

Abstract: The call to get() in playcanvas-stable.min.js on line 33778 sets a callback that could lead to race condition.

Kindly advise how to rectify such vulnerability?

		> if (path.getExtension(url.original) === '.json') {
  		**http.get(url.load, {**
  			retry: this.maxRetries > 0,
  			maxRetries: this.maxRetries

Hi @S_Y and welcome,

I think as long as maxRetries are set to < Infinity that would work as expected.

Would you like to open an issue about it in the engine repo? It will get more visibility by the development team.

I believe maxRetries are set to < Infinity will still surface the RACE CONDITION vulnerability. Did playcanvas look into this before?

More info on race condition: 🚗Race Condition in Web Applications

1 Like

I am not sure but let’s see how the team will comment. Many thanks for opening the issue, posting the link for reference:

I will be answering this in the GitHub issue.

Yes, there can be a race condition where the data that was requested by http.get is not return in a deterministic order. As it’s a request to the server, it’s dependent on many conditions that aren’t controlled by the engine. Eg. Size of file, network issues, server speeds etc.

It is possible to request:

Resource 1
Resource 2
Resource 3
Resource 4

And get back the order of

Resource 3
Resource 4
Resource 2
Resource 1

It is the developers’ responsibility to ensure that avoid situations where the order matters and only handle the response once everything is ready.

Eg The engine preloads assets and waits until they are all loaded from the server before starting the app.

1 Like