search

MonkeScripts / pe

0 stars 0 forks source link

Poor sanititisation #20

Open MonkeScripts opened 5 months ago

MonkeScripts commented 5 months ago

image.png

nus-se-bot commented 5 months ago

Team's Response

From the only screenshot provided, it's shown that your inputs were sanitized and parsed correctly.

Your first two inputs were correctly invalidated as they do not fit our command format.

image.png

For your last input: search -q 0.. -e 17-09-2022..23-11-2024 ..23-11-2025, we see that your input was accepted. Why is this so? Well, this is because search -q 0.. -e 17-09-2022..23-11-2024 is a completely valid command. The only caveat is that you added some extra junk characters to the end of your command (..23-11-2025).

Ultimately, as you've provided a valid search command, our application is right to accept your input. Now that your command has passed the input validation check, it will be sanitized and parsed accordingly.

Evidently, the last part of your input (..23-11-2025) was correctly ignored by the application (given the fact that it is junk input and redundant), and the command was only executed on the valid parameters provided. Do note, that as a part of our input sanitization process, we delete unwanted characters from valid inputs, to handle typos from users. In this case, the trailing junk characters which you've included have been deleted and ignored by the application.

Therefore, your input has been validated and sanitized appropriately.

We'll reduce the severity of this bug to Low as this bug evidently has no severe impact on the functionality of the application. The initially assigned High severity is completely unjustified and unwarranted.

Items for the Tester to Verify

:question: Issue response

Team chose [response.Rejected]

Reason for disagreement: I feel that the inputs are not sanitiesed properly in the sense that the additional characters at the end of commands are still allowed and the command still runs. This would be a problem when we try to reread the logs and backtrack the search the queries. For the additional characters after the command, they would also be confusing to look at in the log,.The user could have errorneously assumed that he had mistyped the ranges and choose the 'fake range' after the command

## :question: Issue severity Team chose [`severity.Low`] Originally [`severity.High`] - [x] I disagree **Reason for disagreement:** [replace this with your reason]