merge of data from inside and outside of transaction

[ElectricNroff]

cve-services/src/controller/registry-org.controller/registry-org.controller.js

Line 300 in 1df06cb

const pendingFullState = _.merge({}, org.toObject(), pendingReviewData)

However, org comes from:

cve-services/src/controller/registry-org.controller/registry-org.controller.js

Line 244 in 1df06cb

const org = await repo.findOneByShortName(shortName)

(i.e., what existed in the database whenever that line of code executed) but pendingReviewData comes from:

cve-services/src/controller/registry-org.controller/registry-org.controller.js

Line 294 in 1df06cb

const pendingReview = await reviewRepo.getOrgReviewObjectByOrgShortname(shortName, isSecretariat, { session })

(i.e., reading from the transaction snapshot). By retrieving pendingReviewData and the stored BaseOrg document inside the same transaction, one can increase the likelihood that the review data was intended to be applicable to that BaseOrg document.

[david-rocca]

Developer Notes

Description

The bug report identifies a concurrency issue (specifically read skew) caused by inconsistent transaction usage within the

updateOrg
function.

Issue

Transaction Setup: On line 240, a new database transaction is started with session.startTransaction().
Read Outside Transaction: On line 244, repo.findOneByShortName(shortName) is called to retrieve the organization's information. Because it is missing the { session } option argument, Mongoose executes this query outside of the active transaction snapshot.
Read Inside Transaction: On line 294, reviewRepo.getOrgReviewObjectByOrgShortname(shortName, isSecretariat, { session }) specifically includes the { session } option, meaning this data is retrieved from inside the transaction space.

The Conflict: By merging data collected across two different isolation contexts on line 300 (_.merge({}, org.toObject(), pendingReviewData)), the update becomes vulnerable to race conditions. If another process modifies the BaseOrg database document while this code is running, the fetched org object could be out of sync with what the pendingReview document expects.
Retrieving both documents inside the same transaction ensures they are both snapped to the exact same point in time, guaranteeing data consistency.

Proposed Solution

The fix is straightforward: simply include the database session in the options when fetching the organization so that it operates inside the transaction loop.

Change Line 244 from:

javascript
const org = await repo.findOneByShortName(shortName)
To:

javascript
const org = await repo.findOneByShortName(shortName, { session })
This ensures that the document retrieved reflects the exact state of the database belonging to this specific unit of work, significantly reducing the likelihood of merging conflicting or stale background data.