Weekly Repository Maintenance Review - 2026-02-01 #182
Description
Weekly Repository Maintenance Review - February 1, 2026
This is an automated weekly review of the ffsync repository covering code quality, potential bugs, security, performance, and documentation accuracy.
Executive Summary
The ffsync repository continues to demonstrate strong engineering practices with comprehensive test coverage and robust infrastructure. However, this week's deep analysis identified several critical bugs in the Python Lambda code that could lead to data corruption, incorrect quota calculations, and resource exhaustion. These issues require immediate attention.
1. CRITICAL Issues Requiring Immediate Action
🔴 CRITICAL: Race Condition in Collection Metadata Updates
File: lambda/src/services/storage_manager.py:319-329
Severity: CRITICAL
Issue: The update_collection method reads collection metadata, performs updates, then writes back the metadata. Between read and write, concurrent requests can modify the collection, causing count and usage to become incorrect.
Impact: Data corruption - collection count/usage metrics become inaccurate under concurrent load.
Fix Required: Use DynamoDB atomic operations with UpdateExpression to increment counters directly.
🔴 CRITICAL: Incorrect Usage Calculation in update_collection
File: lambda/src/services/storage_manager.py:320-322
Severity: CRITICAL
Issue: When updating objects, the code adds new payload sizes but doesn't subtract old payload sizes.
Impact: Quota calculations become incorrect, causing false quota errors or allowing users to exceed quota.
Fix Required: Retrieve old objects, subtract their sizes, then add new sizes.
🔴 CRITICAL: DynamoDB Scan Operations
File: lambda/src/services/storage_manager.py:381-387, 673-698
Severity: CRITICAL
Issue: Using table.scan() instead of query() for listing collections.
Impact: Scans read entire table consuming massive RCUs, performance degrades linearly with table size, high cost at scale, potential throttling.
Fix Required: Add a GSI with user_id as partition key for efficient queries.
🔴 CRITICAL: No Rate Limiting on Token Generation
File: lambda/src/routes/token/request.py
Severity: CRITICAL
Issue: No rate limiting on token generation endpoint.
Impact: Attackers can generate unlimited tokens, DynamoDB cost explosion, token cache pollution, resource exhaustion / DoS attacks.
Fix Required: Implement per-IP and per-user rate limiting using API Gateway throttling or DynamoDB-based tracking.
2. HIGH Priority Issues (7 issues)
See detailed analysis at: #167
Key issues:
- Missing metadata updates in delete_collection_objects
- Missing pagination in delete_collection
- N+1 query problem in batch operations
- NoSQL injection via filter expressions
- Timing attack in HAWK MAC verification
- User enumeration via client state validation
- Incorrect variable assignment in UpdateCollectionRoute
3. Summary of Findings
| Severity | Count | Status |
|---|---|---|
| CRITICAL | 4 | 🔴 Require immediate action |
| HIGH | 7 | 🟠 High priority fixes |
| MEDIUM | 6 | 🟡 Should be addressed |
4. Recommended Action Plan
Week 1 (Immediate)
- Fix race condition in collection metadata updates
- Fix usage calculation bug
- Add GSI to eliminate SCAN operations
- Implement rate limiting on token endpoint
- Add pagination to delete_collection
Conclusion
This week's review uncovered critical bugs that could impact data integrity and system scalability. The race condition and usage calculation issues are particularly concerning as they can lead to data corruption.
Overall Grade: B- (downgraded from A due to critical bugs)
CRITICAL ACTION REQUIRED: Address the 4 critical issues within this week to prevent data corruption and cost/performance problems.
Generated by Claude Code Weekly Repository Review
Date: 2026-02-01