[Bug:] Server Fails to Store and Enforce the Host's Player Limit #160
Description
This vulnerability is a two-part failure on the server-side:
- The server ignores and discards the maximum player limit set by the host during room creation.
- The server fails to check if a room is full before allowing new players to join.
Part 1: The Client-Side - Where the Rule is Set
The host sets a rule, but this is only happening in the user's browser.
File: client/src/pages/CreateRoom.jsx
Evidence: In this file, the UI for setting the number of players is explicitly capped at a maximum of 12.
code Jsx
[
{ label: "NO. OF PLAYERS", value: players, set: setPlayers, max: 12 }, // <--- The UI limit is set here.
{ label: "NO. OF ROUNDS", value: rounds, set: setRounds, max: 20 },
].map(/* ... */)
When the host clicks "Create Room," this number is sent to the server in the request payload.
code JavaScript
const payload = {
// ...
players, // <--- The number set by the host (e.g., 8, 10, or 12) is sent here.
// ...
};
const res = await fetch("https://guessync.onrender.com/api/room/create", {
method: "POST",
// ...
body: JSON.stringify(payload),
});
Part 2: The Server-Side - Where the Rule is Ignored
This is the core of the bug. The server receives the rule but does nothing with it.
File: server/controllers/roomController.js
Function: createRoom
Evidence of Failure 1 (Ignoring the Limit): The controller receives the players variable from the request body but never saves it to the database. It is immediately discarded.
code JavaScript
// ... inside createRoom function in roomController.js
export const createRoom = async (req, res) => {
const {
// ...
players, // <--- This variable is received from the client...
// ...
} = req.body;
// ...
const newRoom = new Room({
// ...
// ... But `players` is NEVER used here. It's not saved anywhere.
settings: {
rounds,
duration,
language: req.body.language || "tamil",
},
// ...
});
await newRoom.save(); // The room is saved without its max player limit.
// ...
};
File: server/controllers/roomController.js
Function: joinRoom
Evidence of Failure 2 (Not Checking for Full Room): When another user tries to join, this function checks if the room exists but has no logic to check the number of current players.
code JavaScript
// ... inside joinRoom function in roomController.js
export const joinRoom = async (req, res) => {
const { code, uid, name, avatar } = req.body;
try {
const room = await Room.findOne({ code });
// ... (checks if room exists, checks if user already joined) ...
// !!! --- CRITICAL FLAW IS HERE --- !!!
// There is NO code here that checks:
// if (room.players.length >= room.settings.maxPlayers)
// It completely skips this vital check.
room.players.push({ uid, name, avatar }); // It adds the player unconditionally.
await room.save();
res.json({ message: "Joined room", room });
} catch (err) {
// ...
}
};
Part 2 : demo
Here, the host sets limit as one but we can see in the below second image that two and more participants are able to wait in the room followed by participation.
