search

derekjxtan / pe

0 stars 0 forks source link

Email domain does not accept other valid domains #13

Open derekjxtan opened 9 months ago

derekjxtan commented 9 months ago

Only 5 domains are accepted when there are many other valid ones. 1 example is the school email which is ...@nus.edu.sg, and its not accepted

nus-pe-script commented 9 months ago

Team's Response

No details provided by team.

The 'Original' Bug

[The team marked this bug as a duplicate of the following bug]

EMAIL parameter is overly restrictive

Description According to the User Guide,

EMAIL is in the format local-part@domain with a 50-character limit. The domain name must end with a domain label that is supported: gmail, yahoo, outlook, hotmail, icloud.

However, this is overly restrictive. Emails can have local-part sections alone that are up to 64 characters, and there are definitely more domain names that the ones mentioned here, such as u.nus.edu. Given that this app is to be used by hotel employees that have to accept the email addresses given by their guests, such as input validation is overly restrictive and compromises on its ability to be used in actual hotels.

[original: nus-cs2103-AY2324S1/pe-interim#3103] [original labels: type.FeatureFlaw severity.Medium]

Their Response to the 'Original' Bug

[This is the team's response to the above 'original' bug]

Due to the nature of this project and to improve security, we have purposely restricted the valid domains.

Items for the Tester to Verify

:question: Issue duplicate status

Team chose to mark this issue as a duplicate of another issue (as explained in the Team's response above)

Reason for disagreement: [replace this with your explanation]

## :question: Issue response Team chose [`response.Rejected`] - [x] I disagree **Reason for disagreement:** While i agree with the dev team that validating and sanitizing input is a important security practice, without further elaboration from the dev team, I find it hard to accept this argument "Due to the nature of this project and to improve security, we have purposely restricted the valid domains." Accept a domain like u.nus.edu is not going to cause security issues for the application. Furthermore, since this app is used by hotels, the dev team should have considered the common case where corporate clients are going to make booking as well. Companies usually have their own domains, and employees making the booking would not be able to use a their work email to do so. And it is likely that employees using personal emails for such company purposes would be a breach of SOP.