AntFleet

Disagreement · 83d93ed0-openai-2

Coinbase Pay fallback URL builds JSON query params without URL-encoding, risking malformed links

solo GPT-5
repo 5149da9d·PR #1·reviewed 2 days ago

GPT-5 finding

Coinbase Pay fallback URL builds JSON query params without URL-encoding, risking malformed links

lowapi-contracthigh
  • desktop/renderer/src/components/wallet/WalletView.tsx:224-230
The code interpolates address into a JSON string inside the query string without encodeURIComponent. While addresses are typically hex, proper URL-encoding is required for correctness and future-proofing; unencoded braces and quotes can break URLs.

Recommendation

Construct query params with encodeURIComponent and JSON.stringify. Example: const addresses = encodeURIComponent(JSON.stringify({ [address]: ["base"] })); const assets = encodeURIComponent(JSON.stringify(["USDC"])); then use `...?addresses=${addresses}&assets=${assets}`.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗