Disagreement · 5bbcd2d3-openai-0

maybeRestoreCredsFromBackup silently aborts on corrupt creds.json and never restores from backup

mismatch

repo 5149da9d·PR #3·reviewed 2 days ago

Primary finding

maybeRestoreCredsFromBackup silently aborts on corrupt creds.json and never restores from backup

highbughigh

src/web/auth-store.ts:56-62
src/web/auth-store.ts:76-80

If creds.json exists but is corrupted (JSON.parse throws), the exception is caught by the outer catch and the function returns without attempting to restore from backup. The intent (per the warning message) is to restore corrupted creds from backup, but current control flow prevents that on parse errors.

Recommendation

Change control flow so that a JSON parse failure falls through to the backup-restore path instead of being swallowed. For example: - Wrap only the JSON.parse(raw) in a try/catch; on failure, continue to check and restore backup. - Or use a parsedOk flag: if (!rawParsedOk) then attempt backup. Also avoid a broad outer catch that swallows parse errors and restoration errors without logging.

Counterpart finding

maybeRestoreCredsFromBackup races with concurrent reads of creds.json

lowconcurrencylow

src/web/auth-store.ts:51-79

Restoration uses copyFileSync directly to creds.json rather than write-and-rename, leaving a window where creds.json is partially written. If another process (e.g., the baileys runtime) reads creds.json mid-copy, it could see truncated content. Since this runs during webAuthExists, it is on a hot path during startup; concurrent processes touching the same auth dir could observe corruption. Likelihood is low under normal single-process usage but the recommended pattern is rename-after-write.

Recommendation

Copy backup to a temp path (e.g., creds.json.restore), chmod, then fsSync.renameSync over creds.json for an atomic swap.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

highbug
Allowlist comparisons use normalized lists but compare against unnormalized candidates (can mis-block/allow DMs/groups)
view anatomy →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗