Description
In the admin batch schedule endpoint (POST /api/v3/schedules/batch), host availability is validated outside any transaction, then schedules are created later. This is a TOCTOU vulnerability.
The single schedule creation path has the same TOCTOU issue but at least validates closer to the insert.
Affected Code
src/quads/server/blueprints/schedules.py:574-582 (validation loop)src/quads/server/blueprints/schedules.py:631-639 (creation loop)
Recommended Fix
Perform both availability validation and schedule creation within a single database transaction using row-level locking (SELECT ... FOR UPDATE).
Description
In the admin batch schedule endpoint (
POST /api/v3/schedules/batch), host availability is validated outside any transaction, then schedules are created later. This is a TOCTOU vulnerability.The single schedule creation path has the same TOCTOU issue but at least validates closer to the insert.
Affected Code
src/quads/server/blueprints/schedules.py:574-582(validation loop)src/quads/server/blueprints/schedules.py:631-639(creation loop)Recommended Fix
Perform both availability validation and schedule creation within a single database transaction using row-level locking (
SELECT ... FOR UPDATE).