[HOLD for payment 2024-02-07] [$500] Display Name - User can save Expensify and Concierge as a last name while error is thrown #34304
Comments
lanitochka17
added
External
melvin-bot
bot
changed the title
|
Job added to Upwork: https://www.upwork.com/jobs/~01afa29712aeb0580b |
|
Triggered auto assignment to @zanyrenney ( |
melvin-bot
bot
added
the
Help Wanted
|
Triggered auto assignment to Contributor-plus team member for initial proposal review - @fedirjh ( |
ProposalPlease re-state the problem that we are trying to solve in this issue.Display Name - User can save Expensify and Concierge as a last name while error is thrown What is the root cause of that problem?This happens as we are not checking the lastName for reserved words on this page: App/src/pages/settings/Profile/DisplayNamePage.js Lines 56 to 72 in 8a559fd What changes do you think we should make in orderWe should add error checking like we did for first Name if (ValidationUtils.doesContainReservedWord(values.lastName, CONST.DISPLAY_NAME.RESERVED_LAST_NAMES)) {
ErrorUtils.addErrorMessage(errors, 'firstName', 'personalDetails.error.containsReservedWord');
}AlternativelyWe may add failure data for this request here: App/src/libs/actions/PersonalDetails.ts Line 134 in c8631be |
ProposalPlease re-state the problem that we are trying to solve in this issue.Display Name - User can save Expensify and Concierge as a last name while error is thrown What is the root cause of that problem?We dont check if the last name is one of the reserved words similar to first name App/src/pages/settings/Profile/DisplayNamePage.js Lines 63 to 65 in 9208c95 What changes do you think we should make in order to solve the problem?we need to add a validation here for the last name as well if (ValidationUtils.doesContainReservedWord(values. lastName, CONST.DISPLAY_NAME.RESERVED_FIRST_NAMES)) {
ErrorUtils.addErrorMessage(errors, 'lastName', 'personalDetails.error.containsReservedWord');
} |
ProposalPlease re-state the problem that we are trying to solve in this issue.User is able to save the 'Expensify' or 'Concierge' as last name What is the root cause of that problem?
What changes do you think we should make in order to solve the problem?
What alternative solutions did you explore? (Optional)We should additionally evaluate other names like workspace names, room names, personal bank information first & last names, ... to see if we should apply the same reserved words restriction, I think it makes sense to restrict in those places as well to reduce frauds. Another approach for 2, is to remove the linkage between Legal name and Display name, so if Display name is not already set, when we set Legal name, it should not set Display name to the same values. |
|
I think it's intentional to validate only first name but not last name. And it's what backend already does. |
@mkhutornyi It seems that the backend also validates the last name and that’s why it throws this error : 
|
|
@puneetlath Should we add the name validation for the legal name page ? As currently user can save legal name as 
|
|
Does the API call fail? If not, I don't think it's necessary. |
|
@puneetlath hi, the name seems to reset on logout and login. Also not validating last name would allow the user to impersonate Expensify or Concierge: Videoce48befa-09b9-46bb-b008-a731c677d4b7.mp4And the backend does return an error. Shown next time we visit the page: VideoScreen.Recording.2024-01-12.at.4.25.53.AM.movThe name will be reset on next login. We can save this optimistically as there is no front end validation. I think we should we fix this |
@puneetlath if we allow legal name to contains, So the user can use that as a workaround to impersonate |
@puneetlath The api call returns an error (which means req failure), I think we have missing |
|
Ok got it! In that case, yes, I think we should have front-end validation for that. |
|
@dukenv0307 It seems that the backend does not have any validation rules for the legal name. I think we should stick with that and just implement the necessary validation solely for the display name. |
@fedirjh What do you think? If we don't fix in legal name, I'll still be able to set the forbidden words as the display name. |
|
@dukenv0307 When display name is not set, it will fallback to the email address instead of the legal name. I guess the legal name is only used in the add bank account flow. |
|
@fedirjh Please see the below video:
So the legal name will become display name if the display name is not already set Screen.Recording.2024-01-15.at.7.00.04.PM.mp4 |
|
@dukenv0307 Interesting find, I could reproduce with a new account as well. It seems that we should add both front End and backend validation to the legal name. cc @puneetlath your thoughts on this bug? It seems that it will require a backend fix. 
|
|
Hm, I'm not eager to do anything then if it requires a back-end update. We can solve it if/when it becomes a real problem. |
@puneetlath this is a security issue if we don't fix it, the user can impersonate Expensify/Concierge which is what we tried to prevent in the first place. I'd say at least we should fix in the front-end to not allow that to happen, so regular users cannot do such things. The back-end doesn't need to be updated for now. |
|
bump @puneetlath for your thoughts please? |
|
have sent @puneetlath a DM asking him to take a look. |
|
After discussing with @puneetlath in DM, he agreed that we should fix this. I think we should just focus on the front-end fix for now though @dukenv0307 - please keep pressing ahead if @fedirjh agrees your proposal is preferable. |
|
Thanks @zanyrenney ! @fedirjh do you think we should move forward with my proposal? |
|
@zanyrenney Thanks for the feedback. In this case, it makes sense to proceed with @dukenv0307's proposal. Let’s add the required front-end validation to both last name and legal name fields. 🎀 👀 🎀 C+ reviewed |
|
Triggered auto assignment to @Julesssss, see https://stackoverflow.com/c/expensify/questions/7972 for more details. |
|
Sounds good |
melvin-bot
bot
removed
the
Help Wanted
|
📣 @fedirjh 🎉 An offer has been automatically sent to your Upwork account for the Reviewer role 🎉 Thanks for contributing to the Expensify app! |
|
📣 @dukenv0307 🎉 An offer has been automatically sent to your Upwork account for the Contributor role 🎉 Thanks for contributing to the Expensify app! Offer link |
melvin-bot
bot
added
Reviewing
melvin-bot
bot
changed the title
|
|
|
The solution for this issue has been 🚀 deployed to production 🚀 in version 1.4.34-1 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue: If no regressions arise, payment will be issued on 2024-02-07. 🎊 For reference, here are some details about the assignees on this issue:
|
|
BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:
|
|
Payment summary @fedirjh requires payment automatic offer (Reviewer) - PAID $500 |
If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!
Version Number: 1.4.24-0
Reproducible in staging?: Y
Reproducible in production?: Y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Expensify/Expensify Issue URL:
Issue reported by: Applause - Internal Team
Slack conversation:
Action Performed:
Expected Result:
User shouldn't be able to save the 'Expensify' or 'Concierge' as last name
Actual Result:
User is able to save the 'Expensify' or 'Concierge' as last name
Workaround:
Unknown
Platforms:
Which of our officially supported platforms is this issue occurring on?
Screenshots/Videos
Add any screenshot/video evidence
Bug6338345_1704929835247.Screen_Recording_2024-01-10_at_10.34.33_at_night.mp4
View all open jobs on GitHub
Upwork Automation - Do Not Edit
The text was updated successfully, but these errors were encountered: