AntFleet

Disagreement · 2385fc2f-anthropic-2

parseBeforeCursor accepts any Date-parseable string, including future dates and strings like 'foo 2026'

solo Opus
repo e24ef98c·PR #4·reviewed 2 weeks ago

Opus finding

parseBeforeCursor accepts any Date-parseable string, including future dates and strings like 'foo 2026'

lowapi-contractmedium
  • apps/web/app/receipts/page.tsx:76-81
new Date() is permissive: 'new Date("2026")' parses, as do many ambiguous strings. The cursor is forwarded into a DB query (loadPublicReceiptsPage). While the query likely binds it safely as a parameter, accepting arbitrary parseable strings could yield surprising pagination URLs that leak as canonical-ish links and confuse search engines. Comment claims malformed cursors silently drop, which is true for NaN dates but not for permissive-but-wrong dates.

Recommendation

Require strict ISO-8601 (e.g. parse with a regex check) before constructing the Date, so only the exact format emitted by nextCursor (closedAtIso) is accepted.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗