AntFleet

Disagreement · bdb225d0-anthropic-6

Receipts page `before` cursor accepts any parseable date string — no upper bound, allowing scan from far future

solo Opus
repo e24ef98c·PR #10·reviewed 1 week ago

Opus finding

Receipts page `before` cursor accepts any parseable date string — no upper bound, allowing scan from far future

lowapi-contracthigh
  • apps/web/app/receipts/page.tsx:178-184
Any valid ISO string passes — including '9999-12-31T23:59:59Z'. While the underlying query is bounded by LIMIT, a malicious URL can force the page to behave as 'paginated' (showing 'Older receipts' header even when the result equals latest). Minor UX/SEO smell — Google would crawl arbitrary `?before=` permutations. Mitigated somewhat by `force-dynamic` but the page is publicly served and indexable.

Recommendation

Reject `before` cursors in the future (clamp to now or return undefined) and consider adding `noindex` on paginated pages.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗