Disagreement · 70f6bb2c-anthropic-5

action parameter silently coerced — typos default to 'enable'

solo Opus

repo e24ef98c·PR #9·reviewed 1 week ago

Opus finding

action parameter silently coerced — typos default to 'enable'

lowapi-contracthigh

apps/web/app/api/opt-in/route.ts:38-40

Any value that isn't exactly 'disable' (including 'Disable', 'DISABLE', 'off', or a misencoded variant) falls back to enable. If the onboarder ever emits a different casing, or a user hand-edits the URL intending to disable, they silently enable instead. For an opt-in surface that flips a public visibility flag, the asymmetry is risk-relevant: failing open to enable when disable was intended could publish data the user wanted hidden.

Recommendation

Reject unknown action values with a 400 errorPage. Match case-insensitively only if intentional.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗