AntFleet

Disagreement · f411be15-anthropic-1

Opt-in route: action parameter accepts anything non-'disable' as 'enable' silently

solo Opus
repo e24ef98c·PR #11·reviewed 1 week ago

Opus finding

Opt-in route: action parameter accepts anything non-'disable' as 'enable' silently

lowapi-contracthigh
  • apps/web/app/api/opt-in/route.ts:29-31
Any value of `action` other than the literal string 'disable' (including typos like 'disabled', 'DISABLE', 'off', or '') is silently treated as 'enable'. A user who clicks an opt-out link with a typo or case-mismatch (`?action=Disable`) would have their repo's receipts flipped to public instead of disabled — the opposite of intent. Because this surface flips a privacy bit that controls whether closed findings appear on /receipts, the unsafe default direction (enable on any unknown action) is the wrong way to fail.

Recommendation

Treat absent `action` as 'enable' (current first-time-opt-in semantics), explicitly recognize 'enable' and 'disable', and reject all other values with a 400 error page. At minimum, do case-insensitive compare for 'disable' and fail closed (default to 'disable') if the param is present but unrecognized, since flipping a privacy flag to the more-exposing side on ambiguous input is the unsafe direction.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗