Open STommydx opened 4 years ago
Similar issue actually happened in the first bounty program before when I try to use a wrong URL request to add and get a book. We even have some argument here about exception caused by using a wrong URL request should be a bug or not:
https://github.com/chihimng/COMP4111_Project/issues/12 https://github.com/chihimng/COMP4111_Project/issues/11
However, according to TA, this is not considered as a bug. (Undefined bug by spec)
I would personally consider this as a security issue more. It is an unintended access and modification of the records. @comp4111ta has clarified in the "End of phase 1" email: any security problem with real impacts are bugs. Let's leave the decision to @comp4111ta.
Anyway, many groups (including myself) has this same issue. You are not alone lol.
Hi, this is undefined behavior. If you can get the data from the database, it is a security problem.
Describe the bug Requests with invalid paths successfully update the database. To be particular, the subpaths between
books
andid
(exclusive) are ignored.To Reproduce
1
for first run.DELETE /BookManagementService/books/hi/1?token={{token}}
Expected behavior
400 Bad Request
or404 Not Found
or other reasonable custom behavior The book remains in the database, which can be verified with a lookup quest.GET /BookManagementService/books?id=1&token={{token}}
Response of lookup request:
200 OK
What actually happens
200 OK
The book is indeed deleted, which can be verified with a lookup quest.GET /BookManagementService/books?id=1&token={{token}}
Response of lookup request:
204 No content