search

AjayArvind2207 / pe

0 stars 0 forks source link

Text in the command box after successfully editing note is jarring and reveals inner implementation. #7

Open AjayArvind2207 opened 2 months ago

AjayArvind2207 commented 2 months ago

I ran the following command editnote 9 1 Test

Instead of getting the normal success message, which I would imagine would look like the following:

Note edited for Startup: D; Industry: A; Funding Stage: S; Phone: 123; Email: c@de; Address: A; Valuation: 1; Notes: Test Hello ; Tags:

I get the following: Note edited for Startup: seedu.address.model.startup.Startup{name=D, industry=A, funding stage=S, phone=123, email=c@de, address=A, valuation=1, tags=[], persons=[], notes=[Test, Hello]}

While aesthetically this is not a big deal, this is especially dangerous because it reveals the inner implementation and structure of your jar, which could potentially make it vulnerable.

nus-se-bot commented 2 months ago

Team's Response

This output message does not show much about the inner implementation and structure of the jar. Furthermore, this information is already what is displayed in the UI as well as the local data file which is in the same json format. Knowing the directories to a certain class will not have a severe impact on the security of the application. We would reclassify this as a Functionality Bug of Very Low severity rather than a feature flaw as this issue is primarily cosmetic and can be improved in a future iteration.

Items for the Tester to Verify

:question: Issue type

Team chose [type.FunctionalityBug] Originally [type.FeatureFlaw]

Reason for disagreement: [replace this with your explanation]

## :question: Issue severity Team chose [`severity.VeryLow`] Originally [`severity.Low`] - [x] I disagree **Reason for disagreement:** I would like to claim that the information displayed in the UI is a summary of the information contained in that class but not the actual class itself. As a user, I now know there is a Startup class under this directory, which is exactly the kind of information that should not be accessible. You have to understand that if I am someone who knows nothing about programming, seeing this kind of inner implementation can be extremely jarring. Also, you are right in saying that with enough consideration, you will probably not face any security issues, but in a way knowing the way this is structured is telling me a lot of information about how the whole codebase is structured. In the context of an open source software available on Github it doesn't matter too much, but in the grand scheme of things this is a violation of the concepts we learnt in CS2030S.