fix: prevent joining and spectating games already in progress#2531
fix: prevent joining and spectating games already in progress#2531Mysterio-17 wants to merge 3 commits intoOWASP:masterfrom
Conversation
- Block access to /games/:game_id once game has started (prevents spectators) - Block access to /games/:game_id/players/new for started games - Add defense-in-depth validation in form_component before creating player - Redirect unauthorized users to /games with appropriate error message Fixes: knowing a game_id allows you to join (and vote in) games already started
There was a problem hiding this comment.
Pull request overview
This PR closes a vulnerability where a known game_id could be used to join/spectate games already in progress by blocking access once game.started_at is set, and adds a server-side re-check before player creation.
Changes:
- Block
/games/:game_idfor started games with a redirect + flash. - Block
/games/:game_id/players/newin bothmount/3andhandle_params/3for started games. - Re-fetch game state before creating a player to reduce UI-bypass/race issues.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| copi.owasp.org/lib/copi_web/live/player_live/index.ex | Adds started-game checks in mount/3 and handle_params/3 to stop “new player” flows once a game begins. |
| copi.owasp.org/lib/copi_web/live/player_live/form_component.ex | Re-fetches game before player creation and redirects if game is already started. |
| copi.owasp.org/lib/copi_web/live/game_live/show.ex | Blocks public access to game show page once started to prevent unauthorized spectating. |
- Use idiomatic Elixir style (if game.started_at do) - Assign fresh game/players in handle_params for LiveView navigations - Add TOCTOU protection with transaction and row locking in create_player - Improve error handling with Game not found flash message
|
Hello @sydseter @rewtd , I've fixed the vulnerability where knowing a game_id allowed unauthorized users to spectate games in progress, by blocking access to |
Spectating is an intentional design feature - sharing game_id allows watching. The fix now correctly prevents only player creation/joining for started games.
|
Hello @rewtd , It's fixed, Now spectating is allowed while only player joining is blocked for started games - attached updated demo video showing the corrected behavior. neww.mp4 |
|
I will have a look when I get the time. |
Summary
Fixes a security vulnerability where knowing a game_id allowed anyone to join and spectate games that were already in progress.
Fixes: #2521
The Fix
GameLive.Show: Block access to/games/:game_idoncegame.started_atis set - redirects to/gameswith error messagePlayerLive.Index: Block access to/games/:game_id/players/newfor started gamesPlayerLive.FormComponent: Re-fetch game from DB before creating player to prevent race conditionsDemo
Before
before.mp4
After
after.1.mp4