AntFleet

Disagreement · 7284403c-anthropic-1

Platform /auth/verify expiresIn coerced unsafely — non-numeric or string value yields NaN expiresAt

solo Opus
repo 799b2361·PR #2·reviewed 5 days ago

Opus finding

Platform /auth/verify expiresIn coerced unsafely — non-numeric or string value yields NaN expiresAt

mediumbughigh
  • src/api/platform.ts:102-116
data.expiresIn is typed unknown and cast with `as number` without runtime validation. If the platform returns expiresIn as a string (e.g. "86400") or anything non-numeric, `now + expiresInSec * 1000` becomes NaN. expiresAt: NaN then survives into the session cache; the getOrRefreshSession check `Date.now() + REFRESH_MARGIN_MS < cached.expiresAt` is false for NaN, so it'd refresh on every call — but the emitted ISO/remainingSeconds in auth.ts would show Invalid Date / negative numbers (Math.max guards remainingSec, but new Date(NaN).toISOString() throws RangeError, crashing the auth command after a successful sign-in).

Recommendation

Coerce safely: `const expiresInSec = typeof data.expiresIn === 'number' ? data.expiresIn : Number(data.expiresIn) || 86400;` and validate the result is finite.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗