search

okTurtles / group-income

A decentralized and private (end-to-end encrypted) financial safety net for you and your friends.
https://groupincome.org
GNU Affero General Public License v3.0
331 stars 44 forks source link

Users can get around `DECIMALS_MAX` using exponential/scientific notation #2409

Open dotmacro opened 3 weeks ago

dotmacro commented 3 weeks ago

Problem

The user can enter a pledge in exponential/scientific notation. This in itself is not a problem, especially as the app supports a currency with DECIMALS_MAX = 8.

However, the user can enter a number with more decimal places than DECIMALS_MAX by using exponential/scientific nation to enter their pledge.

For example, this user can enter a pledge of 2e-15 or 2.1234e-15, which the app (correctly and appropriately) rounds to 0.

image

image

image

The UI will not let the user enter a pledge of 2.12345e-15

image

Solution

Ensure users cannot enter a pledge with more decimal places than allowed.

corrideat commented 2 weeks ago

This library of mine might be relevant: https://www.npmjs.com/package/intl-number-parser (it solves a slightly different problem, namely parsing numbers in different locales, so long as they are decimal-based)